Lock versions for releases: 8.19,9.0,9.1,9.2 (#5234)

github-actions[bot] · web-flow · commit b9b8e245145a · 2025-10-17T22:10:05.000+05:30
diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json
@@ -1021,9 +1021,9 @@
   },
   "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": {
     "rule_name": "Simple HTTP Web Server Connection",
-    "sha256": "727923839de557236140f1a6cd53a8fecc509ccfd588c0f9201b3838ff5577b5",
+    "sha256": "15d0107c6bef8fe9ec0b4cd67d016ee63c23d7a545a81ceabb20663db9257e15",
     "type": "eql",
-    "version": 4
+    "version": 5
   },
   "184dfe52-2999-42d9-b9d1-d1ca54495a61": {
     "rule_name": "GCP Logging Sink Modification",
@@ -1207,9 +1207,9 @@
   },
   "1d485649-c486-4f1d-a99c-8d64795795ad": {
     "rule_name": "Potential CVE-2025-32463 Sudo Chroot Execution Attempt",
-    "sha256": "ea72510a39315b359b31cda2a6a6372940ec6776a5da96685a7e6c5dd6862cba",
+    "sha256": "c074d6687b59f8e9a8ddf9fb262efa268ccb014e0e218c7d1f8ee218f6d627eb",
     "type": "eql",
-    "version": 1
+    "version": 2
   },
   "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": {
     "rule_name": "AWS IAM Roles Anywhere Profile Creation",
@@ -1296,10 +1296,10 @@
     "version": 115
   },
   "1f45720e-5ea8-11ef-90d2-f661ea17fbce": {
-    "rule_name": "AWS Signin Single Factor Console Login with Federated User",
-    "sha256": "d7dfefbed76f68577979701e4d7c33a6f48472d06569c268597a2d9553913692",
-    "type": "esql",
-    "version": 4
+    "rule_name": "AWS Sign-In Console Login with Federated User",
+    "sha256": "6e9e9d0016eeb4eb826db8de79279670dfa3a06d3fe5a5818eadb4a626d4e1d7",
+    "type": "query",
+    "version": 5
   },
   "1f460f12-a3cf-4105-9ebb-f788cc63f365": {
     "rule_name": "Unusual Process Execution on WBEM Path",
@@ -2215,9 +2215,9 @@
   },
   "37cb6756-8892-4af3-a6bd-ddc56db0069d": {
     "rule_name": "Disabling Lsa Protection via Registry Modification",
-    "sha256": "bcda7d22eba2491baa39d158b4381eec6d1df82b9d2b4c534e474a7f7c384b0b",
+    "sha256": "7aa1bf4249d928691c8853f7d53ad91afa3feb71d8bef5ddda0bf736c08c0d82",
     "type": "eql",
-    "version": 2
+    "version": 3
   },
   "37cca4d4-92ab-4a33-a4f8-44a7a380ccda": {
     "rule_name": "Spike in User Account Management Events",
@@ -2551,9 +2551,9 @@
   },
   "403ef0d3-8259-40c9-a5b6-d48354712e49": {
     "rule_name": "Unusual Persistence via Services Registry",
-    "sha256": "3b86134e6a85714e4676aa01b2952e1a4936c55d61269d6858ab4364c23badd8",
+    "sha256": "53ec3c9de6cdade61cc0a64a9f0a1f4b8eb7587226bd349f521eee3cec24e2cc",
     "type": "eql",
-    "version": 314
+    "version": 315
   },
   "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
     "rule_name": "Suspicious Modprobe File Event",
@@ -2983,9 +2983,9 @@
   },
   "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
     "rule_name": "AWS Management Console Brute Force of Root User Identity",
-    "sha256": "46fed600c5e09c71e595ea8fba723e6da3eca531ac34ece084bb236a5755e711",
+    "sha256": "5eadaab1d0d86d7b1bb08cc7a0f7a80aa2c7cc383e6d35bfdf16542fb8252cc0",
     "type": "threshold",
-    "version": 210
+    "version": 211
   },
   "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
     "rule_name": "Attempt to Disable Gatekeeper",
@@ -3337,9 +3337,9 @@
   },
   "57bfa0a9-37c0-44d6-b724-54bf16787492": {
     "rule_name": "DNS Global Query Block List Modified or Disabled",
-    "sha256": "45f445274735262eed52517014047be86ee5efa40278bfde4ec07e09ad01577a",
+    "sha256": "06514c775695c6ffb15b50ee3e811ce692a4cdd882e2912e1a0ee65bbe346273",
     "type": "eql",
-    "version": 207
+    "version": 208
   },
   "581add16-df76-42bb-af8e-c979bfb39a59": {
     "rule_name": "Backup Deletion with Wbadmin",
@@ -4045,9 +4045,9 @@
   },
   "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
     "rule_name": "AWS IAM User Created Access Keys For Another User",
-    "sha256": "888041749b4414c84d0be90a29ada95f7951e481609ee11d11d96c9f959546dd",
+    "sha256": "7b39cd5eb1265b38b23ac4a4fd9eac4a5e4b88e749188c3227771a3ae3177289",
     "type": "esql",
-    "version": 7
+    "version": 8
   },
   "699e9fdb-b77c-4c01-995c-1c15019b9c43": {
     "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
@@ -4068,10 +4068,10 @@
     "version": 314
   },
   "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
-    "rule_name": "AWS IAM Password Recovery Requested",
-    "sha256": "a03120071cd58fed8c869795a758044717e224f1b2806cf58bc0e62c11612b04",
+    "rule_name": "AWS Sign-In Root Password Recovery Requested",
+    "sha256": "6a87957460149a2c3c9da1446442d537242d2a1338dd78452c1333f8ef267fdc",
     "type": "query",
-    "version": 209
+    "version": 210
   },
   "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": {
     "rule_name": "Attempt to Disable Auditd Service",
@@ -5602,10 +5602,10 @@
     "version": 213
   },
   "9563dace-5822-11f0-b1d3-f661ea17fbcd": {
-    "rule_name": "Suspicious Entra ID OAuth User Impersonation Scope Detected",
-    "sha256": "c6deeb78d65208cb064ab63b5fe16696308020973d3b7c228fc9c1f7aaea879e",
+    "rule_name": "Entra ID OAuth user_impersonation Scope for Unusual User and Client",
+    "sha256": "d85a04027a6cadbdbeda3a5e2788d97cad91e18a225baf00319a3c844dc3fe64",
     "type": "new_terms",
-    "version": 2
+    "version": 3
   },
   "959a7353-1129-4aa7-9084-30746b256a70": {
     "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
@@ -5885,9 +5885,9 @@
   },
   "9aa4be8d-5828-417d-9f54-7cd304571b24": {
     "rule_name": "AWS IAM AdministratorAccess Policy Attached to User",
-    "sha256": "fe18f1e29bcdc1dcebe1106d801d86351d22fd0e8f8cf68879814bf0a2cc1c96",
-    "type": "esql",
-    "version": 7
+    "sha256": "74186d700eaba184070afd0868707a68047dd64ddb8ceae3800367c60e212878",
+    "type": "eql",
+    "version": 8
   },
   "9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
     "rule_name": "GitHub Owner Role Granted To User",
@@ -5913,6 +5913,12 @@
     "type": "eql",
     "version": 8
   },
+  "9c0f61fa-abf4-4b11-8d9d-5978c09182dd": {
+    "rule_name": "Potential Command Shell via NetCat",
+    "sha256": "8b7366396a7d5ebe64d336b843c68f81ab1cb913704133ec08cad70891f0de37",
+    "type": "eql",
+    "version": 1
+  },
   "9c260313-c811-4ec8-ab89-8f6530e0246c": {
     "rule_name": "Hosts File Modified",
     "sha256": "390ab06dca3ca8c0b33b0af8548cfa728ba4c0ddd18d67a0435f3209a453f6da",
@@ -6117,6 +6123,18 @@
     "type": "eql",
     "version": 111
   },
+  "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d": {
+    "rule_name": "Azure Storage Account Deletion by Unusual User",
+    "sha256": "a34ca5e23f6bdc0676fadb6a439653d4c17c1d7123a2399983f25d24ecabd5c6",
+    "type": "new_terms",
+    "version": 1
+  },
+  "a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": {
+    "rule_name": "Entra ID Protection Admin Confirmed Compromise",
+    "sha256": "38404d75082d19283a1f7a678f193438c1eb1868ab1c395c3b5633bd6c8e89e4",
+    "type": "query",
+    "version": 1
+  },
   "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
     "rule_name": "Linux Group Creation",
     "sha256": "117c5642bf9abb1c8ced8f0fb4f7ea6f53eeb0d759dcd7d7ef8d94931407ed0d",
@@ -6303,6 +6321,12 @@
     "type": "eql",
     "version": 8
   },
+  "a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": {
+    "rule_name": "Azure Storage Blob Retrieval via AzCopy",
+    "sha256": "630eb9459fc7c5632430c7f31e2e7b09b45d97301ab806d43a312588e54ee683",
+    "type": "new_terms",
+    "version": 1
+  },
   "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
     "rule_name": "High Variance in RDP Session Duration",
     "sha256": "ab11651cb3fb46c70c3fdbf4479abc32ea2fb7d096747443517a1d135615d72c",
@@ -6687,6 +6711,12 @@
     "type": "eql",
     "version": 212
   },
+  "b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e": {
+    "rule_name": "Azure Storage Account Deletions by User",
+    "sha256": "0f80a00629784a14aee160694167d10df069b573b26579e2bc65a08152b94be1",
+    "type": "threshold",
+    "version": 1
+  },
   "b347b919-665f-4aac-b9e8-68369bf2340c": {
     "rule_name": "Unusual Linux Username",
     "sha256": "ebac0be3cc98660cdc22804d5fb5347f782deed7f06851e8d9774d2b80988cf1",
@@ -6785,9 +6815,9 @@
   },
   "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": {
     "rule_name": "Potential Privilege Escalation via Service ImagePath Modification",
-    "sha256": "eccf507bc8d95b170c3c8fe97c0d64f5c18cbd98f12ad13d52942d956fd7fd65",
+    "sha256": "209df9ae546ce07831a4b3ba56aba23d6f88229516b869bf7b7b1d654f795f55",
     "type": "eql",
-    "version": 106
+    "version": 107
   },
   "b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
     "rule_name": "Azure Event Hub Authorization Rule Created or Updated",
@@ -6837,6 +6867,12 @@
     "type": "eql",
     "version": 210
   },
+  "b8c3e5d0-8a1a-11ef-9b4a-f661ea17fbce": {
+    "rule_name": "Azure Recovery Services Resource Deleted",
+    "sha256": "1b78e1a881f43c3177aead24fc927410356a5d006d1cda47e70d26a9e9641342",
+    "type": "query",
+    "version": 1
+  },
   "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
     "rule_name": "Kirbi File Creation",
     "sha256": "f0425912b32267ad405c24d9e2fc4da797b6544d08646645eb230ade605c0b4e",
@@ -6952,10 +6988,10 @@
     "version": 211
   },
   "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
-    "rule_name": "AWS Root Login Without MFA",
-    "sha256": "519788e45f361c3cb6338fc81531cda4b6aa8e9179a53857eef300b9b554633e",
+    "rule_name": "Deprecated - AWS Root Login Without MFA",
+    "sha256": "1f43dead85d0d3544a5c39d1e599b0413d8338a3bd86555c4c1259946d0a1686",
     "type": "query",
-    "version": 211
+    "version": 212
   },
   "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
     "rule_name": "GCP Storage Bucket Deletion",
@@ -7121,15 +7157,15 @@
   },
   "c04be7e0-b0fc-11ef-a826-f661ea17fbce": {
     "rule_name": "AWS IAM Login Profile Added for Root",
-    "sha256": "3b617425debc3763357899a4263aa9e971a933de176e492566d0fc6f1c69ba8b",
-    "type": "esql",
-    "version": 3
+    "sha256": "c5bbdc1ecd098d1662468fe725a7c06a09fbe0ba15cc114d30c6913b14c20b38",
+    "type": "eql",
+    "version": 4
   },
   "c07f7898-5dc3-11f0-9f27-f661ea17fbcd": {
     "rule_name": "Excessive Secret or Key Retrieval from Azure Key Vault",
-    "sha256": "71490d9e8c07a97f2667d6114cb624765794bbb66594e75796631e71ba0b191d",
+    "sha256": "3042d4bb8ab097ead4fa72001cd04d2743f87611580ff1c9b8bcb407509522ff",
     "type": "esql",
-    "version": 3
+    "version": 4
   },
   "c0b9dc99-c696-4779-b086-0d37dc2b3778": {
     "rule_name": "Memory Dump File with Unusual Extension",
@@ -7167,6 +7203,12 @@
     "type": "eql",
     "version": 4
   },
+  "c1a3e2f0-8a1b-11ef-9b4a-f661ea17fbce": {
+    "rule_name": "Azure Compute Restore Point Collection Deleted by Unusual User",
+    "sha256": "88df0fc3cd338a29ae8295259e9f0d1dadb41f0c776597e8de99f353aac0fa2c",
+    "type": "new_terms",
+    "version": 1
+  },
   "c1a9ed70-d349-11ef-841c-f661ea17fbcd": {
     "rule_name": "Unusual AWS S3 Object Encryption with SSE-C",
     "sha256": "1fb0a155b09c230d21da5f67b1371127da7b21d7f20eeedf34c8835ccbd6825d",
@@ -8007,6 +8049,12 @@
     "type": "eql",
     "version": 1
   },
+  "d8f4e3b0-8a1b-11ef-9b4a-f661ea17fbce": {
+    "rule_name": "Azure Compute Restore Point Collections Deleted",
+    "sha256": "ffb8ee8defb030d0393b9f49ecbd35b48e0c588a1fc7aa474c0ea9783cbb4084",
+    "type": "threshold",
+    "version": 1
+  },
   "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
     "rule_name": "AWS IAM Deactivation of MFA Device",
     "sha256": "e3aa8dd0f5cf3941fcbd532ba48689e04c30276c78f3c8eb76b4a025c1f0ed4a",
@@ -8183,9 +8231,9 @@
   },
   "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": {
     "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role",
-    "sha256": "22beec2712ccc6324db5a12c0229a5dbf1dfa203f5f40cdc2b8252829c11635b",
-    "type": "esql",
-    "version": 6
+    "sha256": "b3ca27c45d2de7b202cc549993210a03f1957b463a3f9bbcefb64f7add983b2d",
+    "type": "eql",
+    "version": 7
   },
   "ddf26e25-3e30-42b2-92db-bde8eb82ad67": {
     "rule_name": "File Creation in /var/log via Suspicious Process",
@@ -8249,9 +8297,9 @@
   },
   "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": {
     "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group",
-    "sha256": "3425a710a5f13c4e30c9c4037a965992ccc0a30a688df68fece4052ac7458c30",
-    "type": "esql",
-    "version": 6
+    "sha256": "0ea7a9667e0f94a73639fcccf64290ba4166d4aec6157b99cee23d42147754b8",
+    "type": "eql",
+    "version": 7
   },
   "df959768-b0c9-4d45-988c-5606a2be8e5a": {
     "rule_name": "Unusual Process Execution - Temp",
@@ -8369,9 +8417,9 @@
   },
   "e2a67480-3b79-403d-96e3-fdd2992c50ef": {
     "rule_name": "AWS Management Console Root Login",
-    "sha256": "55a1881c70b22e2d80c9d0b37c8ec78fab97cdee6442c7362d75b9479ad0335a",
+    "sha256": "019e82bf0a7ce94d7eb9d5ef8c69792e65dcf4fed414132cf22f8f1bc105439c",
     "type": "query",
-    "version": 211
+    "version": 212
   },
   "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
     "rule_name": "System Network Connections Discovery",
@@ -9243,6 +9291,12 @@
     "type": "query",
     "version": 1
   },
+  "f754e348-f36f-4510-8087-d7f29874cc12": {
+    "rule_name": "AWS Sign-In Token Created",
+    "sha256": "5a4040e73d23453205709b9e456464e7d162621cff2e1513ca9e81c7a3b97414",
+    "type": "query",
+    "version": 1
+  },
   "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
     "rule_name": "System Hosts File Access",
     "sha256": "95d21e6f12f573fcfe1c7b40679200ac326659d5bec0e2e78d7729d1967afa05",
diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md
@@ -76,7 +76,6 @@ coverage from the state of rules in the `main` branch.
 |[Elastic-detection-rules-tags-aws-secrets-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-secrets-manager.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-aws-service-quotas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-service-quotas.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-aws-sign-in](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sign-in.json&leave_site_dialog=false&tabs=false)|
-|[Elastic-detection-rules-tags-aws-signin](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-signin.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-aws-sns](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sns.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-aws-sqs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sqs.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-aws-ssm](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-ssm.json&leave_site_dialog=false&tabs=false)|
@@ -86,6 +85,7 @@ coverage from the state of rules in the `main` branch.
 |[Elastic-detection-rules-tags-azure-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-activity-logs.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-azure-key-vault](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-key-vault.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-azure-platform-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-platform-logs.json&leave_site_dialog=false&tabs=false)|
+|[Elastic-detection-rules-tags-azure-storage](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-storage.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-azure](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-bbr](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bbr.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-bpfdoor](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bpfdoor.json&leave_site_dialog=false&tabs=false)|
@@ -110,6 +110,7 @@ coverage from the state of rules in the `main` branch.
 |[Elastic-detection-rules-tags-email](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-email.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-endpoint.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-entra-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-entra-audit-logs.json&leave_site_dialog=false&tabs=false)|
+|[Elastic-detection-rules-tags-entra-id-protection-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-entra-id-protection-logs.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-entra-id-sign-in-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-entra-id-sign-in-logs.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-entra-id-sign-in](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-entra-id-sign-in.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-entra-id](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-entra-id.json&leave_site_dialog=false&tabs=false)|
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.1"
+version = "1.5.2"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
