From e76a0a425dc40d33ac0377de4d1babd3118d2a68 Mon Sep 17 00:00:00 2001 From: Domenico Andreoli Date: Fri, 13 Dec 2024 09:32:24 +0100 Subject: [PATCH] Switch to 4 digits rules number --- tests/reports/alerts_from_queries.md | 116 +- tests/reports/alerts_from_rules-8.10.md | 1486 ++++++++-------- tests/reports/alerts_from_rules-8.11.md | 1516 ++++++++-------- tests/reports/alerts_from_rules-8.12.md | 1488 ++++++++-------- tests/reports/alerts_from_rules-8.13.md | 1444 ++++++++-------- tests/reports/alerts_from_rules-8.14.md | 1444 ++++++++-------- tests/reports/alerts_from_rules-8.15.md | 1444 ++++++++-------- tests/reports/alerts_from_rules-8.16.md | 1444 ++++++++-------- tests/reports/alerts_from_rules-8.17.md | 1444 ++++++++-------- tests/reports/alerts_from_rules-8.2.md | 1158 ++++++------- tests/reports/alerts_from_rules-8.3.md | 1220 ++++++------- tests/reports/alerts_from_rules-8.4.md | 1290 +++++++------- tests/reports/alerts_from_rules-8.5.md | 1304 +++++++------- tests/reports/alerts_from_rules-8.6.md | 1360 +++++++-------- tests/reports/alerts_from_rules-8.7.md | 1486 ++++++++-------- tests/reports/alerts_from_rules-8.8.md | 1536 ++++++++--------- tests/reports/alerts_from_rules-8.9.md | 1494 ++++++++-------- tests/reports/alerts_from_rules-9.0.md | 1374 +++++++-------- tests/reports/alerts_from_rules-serverless.md | 1442 ++++++++-------- tests/test_emitter_queries.py | 2 +- tests/test_emitter_rules.py | 2 +- 21 files changed, 12747 insertions(+), 12747 deletions(-) diff --git a/tests/reports/alerts_from_queries.md b/tests/reports/alerts_from_queries.md index 5234a4d8..2ecd1535 100644 --- a/tests/reports/alerts_from_queries.md +++ b/tests/reports/alerts_from_queries.md @@ -12,7 +12,7 @@ Here you can learn what queries are supported. Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python any where true @@ -24,7 +24,7 @@ any where true Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python any where not false @@ -36,7 +36,7 @@ any where not false Branch count: 1 Document count: 1 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python any where not (true and false) @@ -48,7 +48,7 @@ any where not (true and false) Branch count: 1 Document count: 1 -Index: geneve-ut-003 +Index: geneve-ut-0003 ```python any where not (false or false) @@ -60,7 +60,7 @@ any where not (false or false) Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-0004 ```python network where source.port > 512 and source.port < 1024 @@ -72,7 +72,7 @@ network where source.port > 512 and source.port < 1024 Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-0005 ```python network where not (source.port < 512 or source.port > 1024) @@ -84,7 +84,7 @@ network where not (source.port < 512 or source.port > 1024) Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-0006 ```python network where destination.port not in (80, 443) @@ -96,7 +96,7 @@ network where destination.port not in (80, 443) Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-0007 ```python network where not destination.port in (80, 443) @@ -108,7 +108,7 @@ network where not destination.port in (80, 443) Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python network where destination.port == 22 and destination.port in (80, 443) or destination.port == 25 @@ -120,7 +120,7 @@ network where destination.port == 22 and destination.port in (80, 443) or destin Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python process where process.name == "regsvr32.exe" @@ -132,7 +132,7 @@ process where process.name == "regsvr32.exe" Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python process where process.name != "regsvr32.exe" @@ -144,7 +144,7 @@ process where process.name != "regsvr32.exe" Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python process where process.pid != 0 @@ -156,7 +156,7 @@ process where process.pid != 0 Branch count: 1 Document count: 1 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python process where process.pid >= 0 @@ -168,7 +168,7 @@ process where process.pid >= 0 Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python process where process.pid > 0 @@ -180,7 +180,7 @@ process where process.pid > 0 Branch count: 1 Document count: 1 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python process where process.code_signature.exists == true @@ -192,7 +192,7 @@ process where process.code_signature.exists == true Branch count: 1 Document count: 1 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python process where process.code_signature.exists != true @@ -204,7 +204,7 @@ process where process.code_signature.exists != true Branch count: 1 Document count: 1 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python any where network.protocol == "some protocol" @@ -216,7 +216,7 @@ any where network.protocol == "some protocol" Branch count: 1 Document count: 1 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python any where process.pid == null @@ -228,7 +228,7 @@ any where process.pid == null Branch count: 1 Document count: 1 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python any where not process.pid != null @@ -240,7 +240,7 @@ any where not process.pid != null Branch count: 1 Document count: 1 -Index: geneve-ut-019 +Index: geneve-ut-0019 ```python any where process.pid != null @@ -252,7 +252,7 @@ any where process.pid != null Branch count: 1 Document count: 1 -Index: geneve-ut-020 +Index: geneve-ut-0020 ```python any where not process.pid == null @@ -264,7 +264,7 @@ any where not process.pid == null Branch count: 1 Document count: 1 -Index: geneve-ut-021 +Index: geneve-ut-0021 ```python process where process.name == "regsvr32.exe" and process.parent.name == "cmd.exe" @@ -276,7 +276,7 @@ process where process.name == "regsvr32.exe" and process.parent.name == "cmd.exe Branch count: 1 Document count: 1 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python process where process.args != null @@ -288,7 +288,7 @@ process where process.args != null Branch count: 1 Document count: 1 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python process where process.args : "-f" and process.args == "-r" @@ -300,7 +300,7 @@ process where process.args : "-f" and process.args == "-r" Branch count: 1 Document count: 1 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python network where destination.ip == "127.0.0.1" @@ -312,7 +312,7 @@ network where destination.ip == "127.0.0.1" Branch count: 1 Document count: 1 -Index: geneve-ut-025 +Index: geneve-ut-0025 ```python network where cidrMatch(destination.ip, "10.0.0.0/8", "192.168.0.0/16") @@ -324,7 +324,7 @@ network where cidrMatch(destination.ip, "10.0.0.0/8", "192.168.0.0/16") Branch count: 1 Document count: 1 -Index: geneve-ut-026 +Index: geneve-ut-0026 ```python network where not cidrMatch(destination.ip, "10.0.0.0/8", "192.168.0.0/16") @@ -336,7 +336,7 @@ network where not cidrMatch(destination.ip, "10.0.0.0/8", "192.168.0.0/16") Branch count: 1 Document count: 1 -Index: geneve-ut-027 +Index: geneve-ut-0027 ```python network where destination.ip != null @@ -348,7 +348,7 @@ network where destination.ip != null Branch count: 1 Document count: 1 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python network where destination.ip == "::1" @@ -360,7 +360,7 @@ network where destination.ip == "::1" Branch count: 1 Document count: 1 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python network where destination.ip == "822e::/16" @@ -372,7 +372,7 @@ network where destination.ip == "822e::/16" Branch count: 1 Document count: 1 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.category:network and destination.ip:"822e::/16" @@ -384,7 +384,7 @@ event.category:network and destination.ip:"822e::/16" Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python network where host.ip != null @@ -396,7 +396,7 @@ network where host.ip != null Branch count: 1 Document count: 1 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.category:network and host.ip:"822e::/96" @@ -408,7 +408,7 @@ event.category:network and host.ip:"822e::/96" Branch count: 1 Document count: 1 -Index: geneve-ut-033 +Index: geneve-ut-0033 ```python event.category:process and not process.args : (TRUE or true) @@ -420,7 +420,7 @@ event.category:process and not process.args : (TRUE or true) Branch count: 2 Document count: 2 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python network where not (source.port > 512 and source.port < 1024) @@ -432,7 +432,7 @@ network where not (source.port > 512 and source.port < 1024) Branch count: 2 Document count: 2 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python network where source.port > 512 or source.port < 1024 @@ -444,7 +444,7 @@ network where source.port > 512 or source.port < 1024 Branch count: 2 Document count: 2 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python network where source.port < 2000 and (source.port > 512 or source.port > 1024) @@ -456,7 +456,7 @@ network where source.port < 2000 and (source.port > 512 or source.port > 1024) Branch count: 2 Document count: 2 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python network where (source.port > 512 or source.port > 1024) and source.port < 2000 @@ -468,7 +468,7 @@ network where (source.port > 512 or source.port > 1024) and source.port < 2000 Branch count: 4 Document count: 4 -Index: geneve-ut-038 +Index: geneve-ut-0038 ```python network where (source.port > 1024 or source.port < 2000) and (source.port < 4000 or source.port > 512) @@ -480,7 +480,7 @@ network where (source.port > 1024 or source.port < 2000) and (source.port < 4000 Branch count: 2 Document count: 2 -Index: geneve-ut-039 +Index: geneve-ut-0039 ```python network where destination.port in (80, 443) @@ -492,7 +492,7 @@ network where destination.port in (80, 443) Branch count: 2 Document count: 2 -Index: geneve-ut-040 +Index: geneve-ut-0040 ```python process where process.name : ("*.EXE", "*.DLL") @@ -504,7 +504,7 @@ process where process.name : ("*.EXE", "*.DLL") Branch count: 2 Document count: 2 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python process where process.name == "regsvr32.exe" or process.parent.name == "cmd.exe" @@ -516,7 +516,7 @@ process where process.name == "regsvr32.exe" or process.parent.name == "cmd.exe" Branch count: 3 Document count: 3 -Index: geneve-ut-042 +Index: geneve-ut-0042 ```python process where process.name == "regsvr32.exe" or process.name == "cmd.exe" or process.name == "powershell.exe" @@ -528,7 +528,7 @@ process where process.name == "regsvr32.exe" or process.name == "cmd.exe" or pro Branch count: 3 Document count: 3 -Index: geneve-ut-043 +Index: geneve-ut-0043 ```python process where process.name in ("regsvr32.exe", "cmd.exe", "powershell.exe") @@ -540,7 +540,7 @@ process where process.name in ("regsvr32.exe", "cmd.exe", "powershell.exe") Branch count: 3 Document count: 3 -Index: geneve-ut-044 +Index: geneve-ut-0044 ```python process where process.name in ("regsvr32.exe", "cmd.exe") or process.name == "powershell.exe" @@ -552,7 +552,7 @@ process where process.name in ("regsvr32.exe", "cmd.exe") or process.name == "po Branch count: 2 Document count: 2 -Index: geneve-ut-045 +Index: geneve-ut-0045 ```python process where event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -564,7 +564,7 @@ process where event.type in ("start", "process_started") and process.args : "dum Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.type:(start or process_started) and (process.args:"dump-keychain" and process.args:"-d") @@ -576,7 +576,7 @@ event.type:(start or process_started) and (process.args:"dump-keychain" and proc Branch count: 4 Document count: 4 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.category:process and process.args:a and process.args:(b1 or b2) and process.args:(c1 or c2) @@ -588,7 +588,7 @@ event.category:process and process.args:a and process.args:(b1 or b2) and proces Branch count: 4 Document count: 4 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python process where process.args : "a" and process.args : ("b1", "b2") and process.args : ("c1", "c2") @@ -600,7 +600,7 @@ process where process.args : "a" and process.args : ("b1", "b2") and process.arg Branch count: 1 Document count: 2 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python sequence @@ -614,7 +614,7 @@ sequence Branch count: 1 Document count: 2 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python sequence by user.id @@ -628,7 +628,7 @@ sequence by user.id Branch count: 1 Document count: 2 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python sequence @@ -642,7 +642,7 @@ sequence Branch count: 1 Document count: 2 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python sequence @@ -656,7 +656,7 @@ sequence Branch count: 1 Document count: 4 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python sequence @@ -670,7 +670,7 @@ sequence Branch count: 2 Document count: 4 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python sequence @@ -684,7 +684,7 @@ sequence Branch count: 2 Document count: 4 -Index: geneve-ut-055 +Index: geneve-ut-0055 ```python sequence by user.id @@ -698,7 +698,7 @@ sequence by user.id Branch count: 4 Document count: 8 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python sequence @@ -712,7 +712,7 @@ sequence Branch count: 4 Document count: 8 -Index: geneve-ut-057 +Index: geneve-ut-0057 ```python sequence by user.id diff --git a/tests/reports/alerts_from_rules-8.10.md b/tests/reports/alerts_from_rules-8.10.md index 0495019e..e5dbb5cb 100644 --- a/tests/reports/alerts_from_rules-8.10.md +++ b/tests/reports/alerts_from_rules-8.10.md @@ -19,7 +19,7 @@ Rules version: 8.10.18 Branch count: 4608 Document count: 13824 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python sequence by host.id, user.id with maxspan=1m @@ -40,7 +40,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -59,7 +59,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -78,7 +78,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 2048 Document count: 22528 -Index: geneve-ut-680 +Index: geneve-ut-0680 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -95,7 +95,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 4608 Document count: 4608 -Index: geneve-ut-861 +Index: geneve-ut-0861 ```python process where host.os.type == "windows" and event.type == "start" and @@ -144,7 +144,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1836 Document count: 1836 -Index: geneve-ut-915 +Index: geneve-ut-0915 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -176,7 +176,7 @@ process.name == "ln" and process.args in ("-s", "-sf") and Branch count: 2 Document count: 2 -Index: geneve-ut-404 +Index: geneve-ut-0404 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -189,7 +189,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -202,7 +202,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4 Document count: 8 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -222,7 +222,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4608 Document count: 13824 -Index: geneve-ut-262 +Index: geneve-ut-0262 Failure message(s): got 1000 signals, expected 4608 @@ -245,7 +245,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-586 +Index: geneve-ut-0586 Failure message(s): got 1000 signals, expected 1024 @@ -266,7 +266,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-590 +Index: geneve-ut-0590 Failure message(s): got 1000 signals, expected 1024 @@ -287,7 +287,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 2048 Document count: 22528 -Index: geneve-ut-680 +Index: geneve-ut-0680 Failure message(s): got 1000 signals, expected 2048 @@ -306,7 +306,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 4608 Document count: 4608 -Index: geneve-ut-861 +Index: geneve-ut-0861 Failure message(s): got 1000 signals, expected 4608 @@ -357,7 +357,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 22 -Index: geneve-ut-890 +Index: geneve-ut-0890 Failure message(s): got 8 signals, expected 11 @@ -378,7 +378,7 @@ sequence by host.id with maxspan=5s Branch count: 1836 Document count: 1836 -Index: geneve-ut-915 +Index: geneve-ut-0915 Failure message(s): got 1000 signals, expected 1836 @@ -412,7 +412,7 @@ process.name == "ln" and process.args in ("-s", "-sf") and Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -439,7 +439,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -469,7 +469,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 1 Document count: 1 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -481,7 +481,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-003 +Index: geneve-ut-0003 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success @@ -493,7 +493,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-0004 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -505,7 +505,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-0005 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -517,7 +517,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-0006 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -529,7 +529,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-0007 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -541,7 +541,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -553,7 +553,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -568,7 +568,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -580,7 +580,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python process where event.module == "cloud_defend" and @@ -597,7 +597,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -610,7 +610,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -622,7 +622,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -636,7 +636,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -648,7 +648,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -660,7 +660,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -672,7 +672,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -684,7 +684,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-019 +Index: geneve-ut-0019 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -697,7 +697,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-020 +Index: geneve-ut-0020 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -710,7 +710,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-021 +Index: geneve-ut-0021 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -724,7 +724,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -737,7 +737,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success @@ -749,7 +749,7 @@ event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -761,7 +761,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-025 +Index: geneve-ut-0025 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -773,7 +773,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-027 +Index: geneve-ut-0027 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -785,7 +785,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -797,7 +797,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -809,7 +809,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -821,7 +821,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -833,7 +833,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -845,7 +845,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -857,7 +857,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -869,7 +869,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -881,7 +881,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -893,7 +893,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-038 +Index: geneve-ut-0038 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -905,7 +905,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-039 +Index: geneve-ut-0039 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -917,7 +917,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-040 +Index: geneve-ut-0040 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -929,7 +929,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and @@ -942,7 +942,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-042 +Index: geneve-ut-0042 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -954,7 +954,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-043 +Index: geneve-ut-0043 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -969,7 +969,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-044 +Index: geneve-ut-0044 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -981,7 +981,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-045 +Index: geneve-ut-0045 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -993,7 +993,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1006,7 +1006,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1019,7 +1019,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1032,7 +1032,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1047,7 +1047,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 4 Document count: 4 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or @@ -1060,7 +1060,7 @@ UpdateSAMLProvider) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1073,7 +1073,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 6 Document count: 6 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or @@ -1087,7 +1087,7 @@ RevokeSecurityGroupIngress) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and @@ -1100,7 +1100,7 @@ aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event. Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1112,7 +1112,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-055 +Index: geneve-ut-0055 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1124,7 +1124,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1136,7 +1136,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1152,7 +1152,7 @@ Index: geneve-ut-059 Branch count: 52 Document count: 52 -Index: geneve-ut-060 +Index: geneve-ut-0060 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1181,7 +1181,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1219,7 +1219,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python any where event.action == "Directory Service Access" and event.code == "4662" and @@ -1254,7 +1254,7 @@ any where event.action == "Directory Service Access" and event.code == "4662" an Branch count: 4 Document count: 4 -Index: geneve-ut-063 +Index: geneve-ut-0063 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1271,7 +1271,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-065 +Index: geneve-ut-0065 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1291,7 +1291,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-066 +Index: geneve-ut-0066 ```python sequence by winlog.computer_name with maxspan=1m @@ -1319,7 +1319,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 48 Document count: 48 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -1337,7 +1337,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 36 Document count: 36 -Index: geneve-ut-068 +Index: geneve-ut-0068 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1357,7 +1357,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1371,7 +1371,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -1384,7 +1384,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 1 Document count: 1 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1396,7 +1396,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-073 +Index: geneve-ut-0073 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1408,7 +1408,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1423,7 +1423,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1435,7 +1435,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 1 Document count: 1 -Index: geneve-ut-076 +Index: geneve-ut-0076 ```python event.agent_id_status:agent_id_mismatch @@ -1447,7 +1447,7 @@ event.agent_id_status:agent_id_mismatch Branch count: 1 Document count: 2 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1466,7 +1466,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-083 +Index: geneve-ut-0083 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1479,7 +1479,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-084 +Index: geneve-ut-0084 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1491,7 +1491,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-085 +Index: geneve-ut-0085 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1506,7 +1506,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 1 Document count: 1 -Index: geneve-ut-087 +Index: geneve-ut-0087 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1518,7 +1518,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 4 Document count: 4 -Index: geneve-ut-088 +Index: geneve-ut-0088 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -1531,7 +1531,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-089 +Index: geneve-ut-0089 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1543,7 +1543,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-090 +Index: geneve-ut-0090 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1555,7 +1555,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-091 +Index: geneve-ut-0091 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1567,7 +1567,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-092 +Index: geneve-ut-0092 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1579,7 +1579,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-093 +Index: geneve-ut-0093 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1591,7 +1591,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-094 +Index: geneve-ut-0094 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1603,7 +1603,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-095 +Index: geneve-ut-0095 ```python event.dataset:okta.system and event.action:zone.delete @@ -1615,7 +1615,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -1627,7 +1627,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-097 +Index: geneve-ut-0097 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -1639,7 +1639,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 2 Document count: 2 -Index: geneve-ut-098 +Index: geneve-ut-0098 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1652,7 +1652,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 34 Document count: 34 -Index: geneve-ut-099 +Index: geneve-ut-0099 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -1679,7 +1679,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-100 +Index: geneve-ut-0100 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -1695,7 +1695,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-101 +Index: geneve-ut-0101 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1708,7 +1708,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-102 +Index: geneve-ut-0102 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1727,7 +1727,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1742,7 +1742,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -1754,7 +1754,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -1766,7 +1766,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-106 +Index: geneve-ut-0106 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -1778,7 +1778,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-107 +Index: geneve-ut-0107 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -1790,7 +1790,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1809,7 +1809,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1827,7 +1827,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -1839,7 +1839,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -1851,7 +1851,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1864,7 +1864,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-113 +Index: geneve-ut-0113 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -1876,7 +1876,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 3 Document count: 3 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1906,7 +1906,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-117 +Index: geneve-ut-0117 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -1921,7 +1921,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -1935,7 +1935,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python event.dataset:azure.signinlogs and @@ -1949,7 +1949,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python event.dataset:azure.signinlogs and @@ -1962,7 +1962,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.dataset:azure.signinlogs and @@ -1976,7 +1976,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-122 +Index: geneve-ut-0122 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -1989,7 +1989,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -2001,7 +2001,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -2013,7 +2013,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python event.dataset:azure.activitylogs and @@ -2032,7 +2032,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.dataset:azure.activitylogs and @@ -2046,7 +2046,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.dataset:azure.activitylogs and @@ -2064,7 +2064,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-128 +Index: geneve-ut-0128 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2076,7 +2076,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-129 +Index: geneve-ut-0129 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2091,7 +2091,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-130 +Index: geneve-ut-0130 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2103,7 +2103,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-131 +Index: geneve-ut-0131 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2116,7 +2116,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-132 +Index: geneve-ut-0132 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2128,7 +2128,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-133 +Index: geneve-ut-0133 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2140,7 +2140,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2152,7 +2152,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -2164,7 +2164,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 2 Document count: 2 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2176,7 +2176,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2188,7 +2188,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-138 +Index: geneve-ut-0138 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2206,7 +2206,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2222,7 +2222,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2234,7 +2234,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2247,7 +2247,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2260,7 +2260,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2275,7 +2275,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2287,7 +2287,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2299,7 +2299,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2311,7 +2311,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2323,7 +2323,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2335,7 +2335,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2347,7 +2347,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2365,7 +2365,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and @@ -2379,7 +2379,7 @@ not process.parent.executable == "/usr/sbin/libvirtd" Branch count: 16 Document count: 16 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -2393,7 +2393,7 @@ not process.args in ("--help", "--version") Branch count: 9 Document count: 9 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python event.category:file and event.type:change and @@ -2418,7 +2418,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2433,7 +2433,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2448,7 +2448,7 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ Branch count: 13 Document count: 13 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2470,7 +2470,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python file where host.os.type == "windows" and event.action : "creation" and @@ -2499,7 +2499,7 @@ file where host.os.type == "windows" and event.action : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2517,7 +2517,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2535,7 +2535,7 @@ not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") Branch count: 24 Document count: 24 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2551,7 +2551,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2573,7 +2573,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2587,7 +2587,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -2608,7 +2608,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 12 Document count: 12 -Index: geneve-ut-165 +Index: geneve-ut-0165 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -2628,7 +2628,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python sequence by process.entity_id @@ -2651,7 +2651,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2668,7 +2668,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python library where host.os.type == "windows" and event.action == "load" and @@ -2698,7 +2698,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 24 Document count: 24 -Index: geneve-ut-171 +Index: geneve-ut-0171 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -2723,7 +2723,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python sequence by process.entity_id @@ -2744,7 +2744,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python sequence by process.entity_id @@ -2765,7 +2765,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python process where container.id: "*" and event.type== "start" @@ -2778,7 +2778,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python event.kind:alert and event.module:cloud_defend @@ -2790,7 +2790,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 24 Document count: 24 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2816,7 +2816,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -2836,7 +2836,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -2849,7 +2849,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and @@ -2862,7 +2862,7 @@ not process.name == "dockerd" Branch count: 2 Document count: 2 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and @@ -2877,7 +2877,7 @@ file.extension == "ko" and not process.name : ( Branch count: 1 Document count: 1 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -2894,7 +2894,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python any where host.os.type == "windows" and event.action == "Directory Service Changes" and @@ -2908,7 +2908,7 @@ any where host.os.type == "windows" and event.action == "Directory Service Chang Branch count: 2 Document count: 2 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python registry where host.os.type == "windows" and registry.path : ( @@ -2923,7 +2923,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -2935,7 +2935,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 16 Document count: 16 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -2978,7 +2978,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 2 Document count: 2 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -2993,7 +2993,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 8 Document count: 8 -Index: geneve-ut-189 +Index: geneve-ut-0189 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3008,7 +3008,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-190 +Index: geneve-ut-0190 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3020,7 +3020,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3032,7 +3032,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3044,7 +3044,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3056,7 +3056,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -3068,7 +3068,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python event.dataset:cyberarkpas.audit and @@ -3083,7 +3083,7 @@ event.dataset:cyberarkpas.audit and Branch count: 4 Document count: 4 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -3101,7 +3101,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 9 Document count: 9 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -3116,7 +3116,7 @@ Index: geneve-ut-199 Branch count: 2 Document count: 2 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3130,7 +3130,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3144,7 +3144,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3166,7 +3166,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3183,7 +3183,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3205,7 +3205,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3222,7 +3222,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3237,7 +3237,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3249,7 +3249,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3262,7 +3262,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3274,7 +3274,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 10 Document count: 20 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python sequence by process.entity_id with maxspan=1m @@ -3292,7 +3292,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 12 Document count: 12 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3305,7 +3305,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 108 Document count: 108 -Index: geneve-ut-217 +Index: geneve-ut-0217 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3320,7 +3320,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 12 Document count: 12 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3334,7 +3334,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 2 Document count: 2 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -3346,7 +3346,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 201 Document count: 201 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python process where @@ -3377,7 +3377,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-221 +Index: geneve-ut-0221 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3390,7 +3390,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3404,7 +3404,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python registry where host.os.type == "windows" and @@ -3418,7 +3418,7 @@ registry where host.os.type == "windows" and Branch count: 14 Document count: 14 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3449,7 +3449,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -3461,7 +3461,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 2 Document count: 2 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3475,7 +3475,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3494,7 +3494,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-229 +Index: geneve-ut-0229 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3521,7 +3521,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 46 Document count: 46 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -3551,7 +3551,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python event.category:process and host.os.type:windows and @@ -3571,7 +3571,7 @@ event.category:process and host.os.type:windows and Branch count: 64 Document count: 64 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -3599,7 +3599,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-237 +Index: geneve-ut-0237 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -3612,7 +3612,7 @@ process.name : ("kworker*", "kthread*") and process.executable != null Branch count: 4 Document count: 8 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python sequence by process.entity_id with maxspan=5m @@ -3632,7 +3632,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 4 Document count: 4 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3651,7 +3651,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 48 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python sequence with maxspan=2h @@ -3676,7 +3676,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python sequence with maxspan=2h @@ -3701,7 +3701,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -3730,7 +3730,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -3742,7 +3742,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -3765,7 +3765,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python sequence by user.id with maxspan=5s @@ -3780,7 +3780,7 @@ sequence by user.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -3792,7 +3792,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 2 Document count: 2 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python process where host.os.type == "windows" and event.type : "start" and @@ -3814,7 +3814,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -3826,7 +3826,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -3840,7 +3840,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -3853,7 +3853,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3865,7 +3865,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3877,7 +3877,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3891,7 +3891,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -3903,7 +3903,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 1 Document count: 1 -Index: geneve-ut-261 +Index: geneve-ut-0261 ```python file where host.os.type == "windows" and event.code : "2" and @@ -3935,7 +3935,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 4 Document count: 4 -Index: geneve-ut-263 +Index: geneve-ut-0263 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( @@ -3949,7 +3949,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 20 Document count: 20 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -3965,7 +3965,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -3980,7 +3980,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python process where event.module == "cloud_defend" and @@ -3995,7 +3995,7 @@ process where event.module == "cloud_defend" and Branch count: 375 Document count: 750 -Index: geneve-ut-268 +Index: geneve-ut-0268 ```python sequence by process.entity_id @@ -4022,7 +4022,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-269 +Index: geneve-ut-0269 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4043,7 +4043,7 @@ not ( Branch count: 2 Document count: 2 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python process where host.os.type == "linux" and event.type == "start" and user.id == "0" and @@ -4058,7 +4058,7 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " Branch count: 11 Document count: 11 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4084,7 +4084,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4110,7 +4110,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python event.dataset: google_workspace.alert @@ -4122,7 +4122,7 @@ event.dataset: google_workspace.alert Branch count: 8 Document count: 8 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python registry where host.os.type == "windows" and @@ -4140,7 +4140,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4152,7 +4152,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4164,7 +4164,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4176,7 +4176,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4188,7 +4188,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -4200,7 +4200,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -4212,7 +4212,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -4224,7 +4224,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-300 +Index: geneve-ut-0300 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -4236,7 +4236,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -4248,7 +4248,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-302 +Index: geneve-ut-0302 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -4260,7 +4260,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-303 +Index: geneve-ut-0303 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -4272,7 +4272,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-304 +Index: geneve-ut-0304 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -4284,7 +4284,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -4296,7 +4296,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -4308,7 +4308,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -4320,7 +4320,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-308 +Index: geneve-ut-0308 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -4332,7 +4332,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -4344,7 +4344,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -4356,7 +4356,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-311 +Index: geneve-ut-0311 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -4368,7 +4368,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -4380,7 +4380,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -4392,7 +4392,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -4404,7 +4404,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -4416,7 +4416,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" @@ -4428,7 +4428,7 @@ configuration where event.dataset == "github.audit" and github.category == "inte Branch count: 1 Document count: 1 -Index: geneve-ut-317 +Index: geneve-ut-0317 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -4440,7 +4440,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" @@ -4452,7 +4452,7 @@ configuration where event.dataset == "github.audit" and event.action == "persona Branch count: 1 Document count: 1 -Index: geneve-ut-319 +Index: geneve-ut-0319 ```python configuration where event.dataset == "github.audit" @@ -4465,7 +4465,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python configuration where event.dataset == "github.audit" and event.action == "repo.create" @@ -4477,7 +4477,7 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr Branch count: 1 Document count: 1 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -4489,7 +4489,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python configuration where event.dataset == "github.audit" and event.action == "org.block_user" @@ -4501,7 +4501,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.blo Branch count: 1 Document count: 1 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -4514,7 +4514,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -4526,7 +4526,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS @@ -4538,7 +4538,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -4551,7 +4551,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -4563,7 +4563,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4576,7 +4576,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -4588,7 +4588,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -4601,7 +4601,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-332 +Index: geneve-ut-0332 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -4618,7 +4618,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-333 +Index: geneve-ut-0333 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -4632,7 +4632,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-334 +Index: geneve-ut-0334 ```python sequence by source.user.email with maxspan=3m @@ -4656,7 +4656,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -4677,7 +4677,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4691,7 +4691,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -4703,7 +4703,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -4715,7 +4715,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -4728,7 +4728,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4741,7 +4741,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python file where event.type == "creation" and process.name == "chflags" @@ -4753,7 +4753,7 @@ file where event.type == "creation" and process.name == "chflags" Branch count: 1 Document count: 2 -Index: geneve-ut-351 +Index: geneve-ut-0351 ```python sequence by process.entity_id with maxspan=5m @@ -4770,7 +4770,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-352 +Index: geneve-ut-0352 ```python any where @@ -4799,7 +4799,7 @@ any where Branch count: 12 Document count: 12 -Index: geneve-ut-353 +Index: geneve-ut-0353 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -4812,7 +4812,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-354 +Index: geneve-ut-0354 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4827,7 +4827,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-355 +Index: geneve-ut-0355 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -4839,7 +4839,7 @@ Index: geneve-ut-355 Branch count: 8 Document count: 8 -Index: geneve-ut-358 +Index: geneve-ut-0358 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4856,7 +4856,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-360 +Index: geneve-ut-0360 ```python sequence with maxspan=1m @@ -4875,7 +4875,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-361 +Index: geneve-ut-0361 ```python sequence by host.id with maxspan=1m @@ -4893,7 +4893,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-362 +Index: geneve-ut-0362 ```python sequence by host.id with maxspan=5s @@ -4912,7 +4912,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-363 +Index: geneve-ut-0363 ```python sequence by host.id with maxspan = 30s @@ -4928,7 +4928,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-364 +Index: geneve-ut-0364 ```python sequence by host.id with maxspan=30s @@ -4944,7 +4944,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-365 +Index: geneve-ut-0365 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4957,7 +4957,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-367 +Index: geneve-ut-0367 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4970,7 +4970,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-368 +Index: geneve-ut-0368 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -4986,7 +4986,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5005,7 +5005,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 4 Document count: 4 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python registry where host.os.type == "windows" and @@ -5024,7 +5024,7 @@ registry where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python process where container.id : "*" and event.type== "start" and @@ -5045,7 +5045,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -5058,7 +5058,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -5076,7 +5076,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python event.action:modified-user-account and event.code:4738 and @@ -5089,7 +5089,7 @@ event.action:modified-user-account and event.code:4738 and Branch count: 2 Document count: 2 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -5103,7 +5103,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -5162,7 +5162,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -5175,7 +5175,7 @@ auditd.data.syscall in ("init_module", "finit_module") Branch count: 2 Document count: 2 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -5188,7 +5188,7 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" Branch count: 24 Document count: 24 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5201,7 +5201,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" @@ -5213,7 +5213,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 22 Document count: 22 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -5227,7 +5227,7 @@ process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh Branch count: 16 Document count: 16 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python process where host.os.type == "macos" and event.type == "start" and @@ -5242,7 +5242,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -5254,7 +5254,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset:kubernetes.audit_logs @@ -5269,7 +5269,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.dataset: "kubernetes.audit_logs" @@ -5283,7 +5283,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python event.dataset : "kubernetes.audit_logs" @@ -5299,7 +5299,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.dataset : "kubernetes.audit_logs" @@ -5316,7 +5316,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.dataset : "kubernetes.audit_logs" @@ -5333,7 +5333,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.dataset : "kubernetes.audit_logs" @@ -5350,7 +5350,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python event.dataset : "kubernetes.audit_logs" @@ -5383,7 +5383,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python event.dataset : "kubernetes.audit_logs" @@ -5400,7 +5400,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python event.dataset : "kubernetes.audit_logs" @@ -5417,7 +5417,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python event.dataset : "kubernetes.audit_logs" @@ -5434,7 +5434,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python event.dataset : "kubernetes.audit_logs" @@ -5450,7 +5450,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -5483,7 +5483,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python any where event.action == "File System" and event.code == "4656" and @@ -5518,7 +5518,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python api where host.os.type == "windows" and @@ -5572,7 +5572,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5590,7 +5590,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python sequence by host.id with maxspan=1m @@ -5606,7 +5606,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python sequence by host.id with maxspan=1m @@ -5620,7 +5620,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5635,7 +5635,7 @@ process.args != "1" Branch count: 609 Document count: 609 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python process where host.os.type == "linux" and event.type == "start" and @@ -5697,7 +5697,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 64 Document count: 64 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -5713,7 +5713,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 240 Document count: 240 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5733,7 +5733,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python registry where host.os.type == "windows" and registry.path : ( @@ -5748,7 +5748,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 600 Document count: 1200 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python sequence with maxspan=1m @@ -5773,7 +5773,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -5785,7 +5785,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 96 Document count: 96 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5809,7 +5809,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 48 Document count: 96 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python sequence by host.id, user.id with maxspan=30s @@ -5823,7 +5823,7 @@ sequence by host.id, user.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com @@ -5835,7 +5835,7 @@ ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.c Branch count: 1 Document count: 1 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com @@ -5847,7 +5847,7 @@ ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmclo Branch count: 2 Document count: 2 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") @@ -5859,7 +5859,7 @@ process where (problemchild.prediction == 1 or blocklist_label == 1) and not pro Branch count: 2 Document count: 2 -Index: geneve-ut-422 +Index: geneve-ut-0422 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -5871,7 +5871,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -5883,7 +5883,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python configuration where event.dataset == "github.audit" and event.action == "org.remove_member" @@ -5895,7 +5895,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.rem Branch count: 1 Document count: 1 -Index: geneve-ut-427 +Index: geneve-ut-0427 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -5907,7 +5907,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-428 +Index: geneve-ut-0428 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -5919,7 +5919,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-429 +Index: geneve-ut-0429 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -5931,7 +5931,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-430 +Index: geneve-ut-0430 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -5943,7 +5943,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-431 +Index: geneve-ut-0431 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -5955,7 +5955,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-432 +Index: geneve-ut-0432 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -5967,7 +5967,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-433 +Index: geneve-ut-0433 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -5979,7 +5979,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-434 +Index: geneve-ut-0434 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -5991,7 +5991,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -6003,7 +6003,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -6015,7 +6015,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -6027,7 +6027,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -6040,7 +6040,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -6059,7 +6059,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-440 +Index: geneve-ut-0440 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -6071,7 +6071,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-441 +Index: geneve-ut-0441 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -6086,7 +6086,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-442 +Index: geneve-ut-0442 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -6100,7 +6100,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -6114,7 +6114,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-444 +Index: geneve-ut-0444 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -6126,7 +6126,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -6138,7 +6138,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6152,7 +6152,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6173,7 +6173,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6187,7 +6187,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-451 +Index: geneve-ut-0451 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6210,7 +6210,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -6235,7 +6235,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python event.category: "process" and host.os.type:windows and @@ -6259,7 +6259,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6274,7 +6274,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6288,7 +6288,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6302,7 +6302,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 30 Document count: 30 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6342,7 +6342,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 1 Document count: 1 -Index: geneve-ut-458 +Index: geneve-ut-0458 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -6354,7 +6354,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 12 Document count: 12 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6372,7 +6372,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 4 Document count: 4 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6389,7 +6389,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -6401,7 +6401,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 1 Document count: 1 -Index: geneve-ut-463 +Index: geneve-ut-0463 ```python event.category:process and host.os.type:macos and event.type:start and @@ -6426,7 +6426,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python event.category:file and host.os.type:linux and event.type:change and @@ -6445,7 +6445,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python event.category:process and host.os.type:macos and event.type:start and @@ -6467,7 +6467,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 16 Document count: 16 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -6484,7 +6484,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 1 Document count: 1 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -6498,7 +6498,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 2 Document count: 2 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -6510,7 +6510,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 2 Document count: 2 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6533,7 +6533,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python process where event.module == "cloud_defend" and event.type== "start" and @@ -6546,7 +6546,7 @@ process where event.module == "cloud_defend" and event.type== "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6565,7 +6565,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-473 +Index: geneve-ut-0473 ```python sequence by process.entity_id @@ -6581,7 +6581,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python sequence by process.entity_id with maxspan=10m @@ -6599,7 +6599,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -6611,7 +6611,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -6637,7 +6637,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -6663,7 +6663,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -6687,7 +6687,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 210 Document count: 210 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6706,7 +6706,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -6721,7 +6721,7 @@ not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox- Branch count: 560 Document count: 560 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python process where container.id: "*" and event.type== "start" @@ -6744,7 +6744,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 10 Document count: 10 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6758,7 +6758,7 @@ process.args : "*l*" and process.args_count >= 4 Branch count: 2 Document count: 2 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -6774,7 +6774,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -6797,7 +6797,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -6816,7 +6816,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python sequence by process.entity_id @@ -6836,7 +6836,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python sequence by process.entity_id @@ -6855,7 +6855,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python sequence by host.id with maxspan=1m @@ -6873,7 +6873,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python sequence by process.entity_id @@ -6898,7 +6898,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-498 +Index: geneve-ut-0498 ```python sequence by process.entity_id @@ -6920,7 +6920,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python registry where host.os.type == "windows" and registry.data.strings : "?*" and @@ -6949,7 +6949,7 @@ registry where host.os.type == "windows" and registry.data.strings : "?*" and Branch count: 2 Document count: 2 -Index: geneve-ut-501 +Index: geneve-ut-0501 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -6965,7 +6965,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6978,7 +6978,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -6990,7 +6990,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -7002,7 +7002,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 1 Document count: 1 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* @@ -7014,7 +7014,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* Branch count: 1 Document count: 1 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" @@ -7026,7 +7026,7 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and Branch count: 1 Document count: 1 -Index: geneve-ut-509 +Index: geneve-ut-0509 ```python configuration where event.dataset == "github.audit" and event.action == "org.add_member" @@ -7038,7 +7038,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.add Branch count: 6 Document count: 6 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -7052,7 +7052,7 @@ event.outcome:success Branch count: 4 Document count: 4 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -7065,7 +7065,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -7077,7 +7077,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-515 +Index: geneve-ut-0515 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -7091,7 +7091,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -7103,7 +7103,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -7116,7 +7116,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python event.dataset:okta.system and event.category:authentication and @@ -7129,7 +7129,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 10 Document count: 10 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and @@ -7152,7 +7152,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/ Branch count: 2 Document count: 2 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -7164,7 +7164,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -7176,7 +7176,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -7188,7 +7188,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 36 Document count: 72 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -7203,7 +7203,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7217,7 +7217,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -7229,7 +7229,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -7241,7 +7241,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-530 +Index: geneve-ut-0530 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7259,7 +7259,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-531 +Index: geneve-ut-0531 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -7272,7 +7272,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -7286,7 +7286,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 66 Document count: 132 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python sequence by host.id with maxspan=5s @@ -7302,7 +7302,7 @@ sequence by host.id with maxspan=5s Branch count: 12 Document count: 12 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python /* Registry Path ends with backslash */ @@ -7327,7 +7327,7 @@ registry where host.os.type == "windows" and /* length(registry.data.strings) > Branch count: 32 Document count: 32 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -7353,7 +7353,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python process where host.os.type == "macos" and event.type == "start" and @@ -7373,7 +7373,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7392,7 +7392,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-538 +Index: geneve-ut-0538 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7405,7 +7405,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-539 +Index: geneve-ut-0539 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7421,7 +7421,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7447,7 +7447,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7466,7 +7466,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7494,7 +7494,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7509,7 +7509,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python registry where host.os.type == "windows" and @@ -7572,7 +7572,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python registry where host.os.type == "windows" and registry.path : ( @@ -7587,7 +7587,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -7605,7 +7605,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -7617,7 +7617,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 16 Document count: 16 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -7630,7 +7630,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -7645,7 +7645,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 16 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python sequence by host.id, process.parent.entity_id with maxspan=5m @@ -7662,7 +7662,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "fork", "fork_event") and @@ -7678,7 +7678,7 @@ user.name == "postgres" and ( Branch count: 2 Document count: 6 -Index: geneve-ut-557 +Index: geneve-ut-0557 ```python sequence by host.id, user.name with maxspan = 5s @@ -7707,7 +7707,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -7720,7 +7720,7 @@ event.type == "change" and file.name : "notify_on_release" Branch count: 1 Document count: 1 -Index: geneve-ut-559 +Index: geneve-ut-0559 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -7733,7 +7733,7 @@ event.type == "change" and file.name : "release_agent" Branch count: 63 Document count: 63 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python process where event.type in ("start", "process_started", "info") and @@ -7757,7 +7757,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 12 Document count: 12 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python any where event.action : ("Directory Service Access", "object-operation-performed") and @@ -7792,7 +7792,7 @@ any where event.action : ("Directory Service Access", "object-operation-performe Branch count: 1 Document count: 1 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python process where host.os.type == "windows" and event.code == "10" and @@ -7810,7 +7810,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python process where host.os.type == "windows" and event.code == "10" and @@ -7833,7 +7833,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -7887,7 +7887,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python sequence by process.entity_id with maxspan=1m @@ -7905,7 +7905,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python sequence by process.entity_id @@ -7920,7 +7920,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-568 +Index: geneve-ut-0568 ```python any where processor.name == "transaction" and @@ -7934,7 +7934,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-570 +Index: geneve-ut-0570 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7955,7 +7955,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-571 +Index: geneve-ut-0571 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7976,7 +7976,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-577 +Index: geneve-ut-0577 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7989,7 +7989,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-578 +Index: geneve-ut-0578 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8002,7 +8002,7 @@ process.parent.name == "proot" Branch count: 8 Document count: 8 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8018,7 +8018,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-580 +Index: geneve-ut-0580 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8031,7 +8031,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 4 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python sequence by process.entity_id with maxspan=3m @@ -8055,7 +8055,7 @@ sequence by process.entity_id with maxspan=3m Branch count: 6 Document count: 6 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8080,7 +8080,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 4 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python sequence by host.id, user.id with maxspan=1s @@ -8098,7 +8098,7 @@ sequence by host.id, user.id with maxspan=1s Branch count: 2 Document count: 2 -Index: geneve-ut-587 +Index: geneve-ut-0587 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8111,7 +8111,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8124,7 +8124,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8138,7 +8138,7 @@ process.args : "*hidepid=2*" Branch count: 60 Document count: 120 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python sequence by host.id with maxspan=1m @@ -8174,7 +8174,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python event.category:process and host.os.type:macos and event.type:start and @@ -8187,7 +8187,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8205,7 +8205,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -8219,7 +8219,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python sequence by host.id with maxspan=30s @@ -8238,7 +8238,7 @@ sequence by host.id with maxspan=30s Branch count: 4 Document count: 4 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8251,7 +8251,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 3 Document count: 6 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python sequence by host.id, process.parent.name with maxspan=1m @@ -8267,7 +8267,7 @@ sequence by host.id, process.parent.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8280,7 +8280,7 @@ process.name == "unshadow" and process.args_count >= 3 Branch count: 156 Document count: 156 -Index: geneve-ut-601 +Index: geneve-ut-0601 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8308,7 +8308,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 10 -Index: geneve-ut-602 +Index: geneve-ut-0602 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -8326,7 +8326,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 72 Document count: 72 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8340,7 +8340,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 458 Document count: 458 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -8368,7 +8368,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8387,7 +8387,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python process where host.os.type == "windows" and @@ -8525,7 +8525,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python process where host.os.type == "windows" and @@ -8596,7 +8596,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-612 +Index: geneve-ut-0612 ```python library where host.os.type == "windows" and event.action == "load" and @@ -8613,7 +8613,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 12 Document count: 12 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -8630,7 +8630,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -8642,7 +8642,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8683,7 +8683,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( @@ -8697,7 +8697,7 @@ network where process.name : ("http", "https") and destination.port not in (80, Branch count: 2 Document count: 4 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python sequence by process.entity_id with maxspan=1m @@ -8717,7 +8717,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -8758,7 +8758,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 2 Document count: 2 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python network where host.os.type == "windows" and @@ -8784,7 +8784,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8797,7 +8797,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8812,7 +8812,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8825,7 +8825,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -8847,7 +8847,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 8 Document count: 8 -Index: geneve-ut-636 +Index: geneve-ut-0636 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -8867,7 +8867,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 696 Document count: 696 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python event.category:process and host.os.type:windows and @@ -9063,7 +9063,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -9079,7 +9079,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-640 +Index: geneve-ut-0640 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -9093,7 +9093,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -9110,7 +9110,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -9124,7 +9124,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -9140,7 +9140,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -9156,7 +9156,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -9168,7 +9168,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -9184,7 +9184,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-648 +Index: geneve-ut-0648 ```python sequence by host.id with maxspan=1m @@ -9204,7 +9204,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -9216,7 +9216,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-651 +Index: geneve-ut-0651 ```python iam where event.action == "renamed-user-account" and @@ -9230,7 +9230,7 @@ iam where event.action == "renamed-user-account" and Branch count: 18 Document count: 18 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python process where host.os.type == "windows" and event.action == "start" and @@ -9253,7 +9253,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-654 +Index: geneve-ut-0654 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -9273,7 +9273,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-656 +Index: geneve-ut-0656 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9286,7 +9286,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python file where host.os.type == "windows" and @@ -9301,7 +9301,7 @@ file where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-660 +Index: geneve-ut-0660 ```python /* Identifies the modification of RDP Shadow registry or @@ -9328,7 +9328,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9343,7 +9343,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python sequence with maxspan=1m @@ -9385,7 +9385,7 @@ sequence with maxspan=1m Branch count: 864 Document count: 1728 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python sequence by host.id with maxspan=5s @@ -9404,7 +9404,7 @@ sequence by host.id with maxspan=5s Branch count: 80 Document count: 80 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python process where event.type in ("start", "process_started") and @@ -9425,7 +9425,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 32 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9439,7 +9439,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 432 Document count: 864 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -9458,7 +9458,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 288 Document count: 576 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python sequence by host.id with maxspan=5s @@ -9487,7 +9487,7 @@ sequence by host.id with maxspan=5s Branch count: 40 Document count: 40 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9503,7 +9503,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-673 +Index: geneve-ut-0673 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -9515,7 +9515,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 1 Document count: 1 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -9529,7 +9529,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 32 Document count: 96 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -9557,7 +9557,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python sequence by host.id with maxspan=1s @@ -9576,7 +9576,7 @@ sequence by host.id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-682 +Index: geneve-ut-0682 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9589,7 +9589,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -9605,7 +9605,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 2 Document count: 2 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9619,7 +9619,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python file where event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -9649,7 +9649,7 @@ file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9662,7 +9662,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-688 +Index: geneve-ut-0688 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9678,7 +9678,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-689 +Index: geneve-ut-0689 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9695,7 +9695,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -9711,7 +9711,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-694 +Index: geneve-ut-0694 ```python file where host.os.type == "windows" and @@ -9725,7 +9725,7 @@ file where host.os.type == "windows" and Branch count: 4 Document count: 16 -Index: geneve-ut-695 +Index: geneve-ut-0695 ```python sequence by okta.actor.id with maxspan=10m @@ -9745,7 +9745,7 @@ sequence by okta.actor.id with maxspan=10m Branch count: 80 Document count: 80 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9761,7 +9761,7 @@ process.parent.name in ("screen", "tmux") and process.name : ( Branch count: 21 Document count: 21 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python event.category:process and host.os.type:windows and @@ -9786,7 +9786,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python event.category:process and host.os.type:windows and @@ -9805,7 +9805,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python event.category:process and host.os.type:windows and @@ -9828,7 +9828,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -9840,7 +9840,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python event.category:process and host.os.type:windows and @@ -9865,7 +9865,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-704 +Index: geneve-ut-0704 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9881,7 +9881,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python event.category:process and host.os.type:windows and @@ -9920,7 +9920,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9934,7 +9934,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -9948,7 +9948,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-722 +Index: geneve-ut-0722 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -9961,7 +9961,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 6 Document count: 6 -Index: geneve-ut-723 +Index: geneve-ut-0723 ```python registry where host.os.type == "windows" and registry.path : ( @@ -9981,7 +9981,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -9998,7 +9998,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-726 +Index: geneve-ut-0726 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10012,7 +10012,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 96 Document count: 96 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -10087,7 +10087,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-729 +Index: geneve-ut-0729 ```python sequence by winlog.computer_name with maxspan=1m @@ -10108,7 +10108,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-730 +Index: geneve-ut-0730 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10127,7 +10127,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( @@ -10142,7 +10142,7 @@ not process.parent.name in ("amazon-ssm-agent", "snap") Branch count: 66 Document count: 66 -Index: geneve-ut-732 +Index: geneve-ut-0732 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10197,7 +10197,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -10209,7 +10209,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -10221,7 +10221,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-735 +Index: geneve-ut-0735 ```python process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" @@ -10233,7 +10233,7 @@ process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemote Branch count: 3 Document count: 6 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python sequence by host.id with maxspan=5s @@ -10265,7 +10265,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 4 -Index: geneve-ut-738 +Index: geneve-ut-0738 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -10278,7 +10278,7 @@ process.name : "* " Branch count: 1 Document count: 1 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10300,7 +10300,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-740 +Index: geneve-ut-0740 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -10313,7 +10313,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10326,7 +10326,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-742 +Index: geneve-ut-0742 ```python sequence by process.entity_id @@ -10350,7 +10350,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python registry where host.os.type == "windows" and @@ -10371,7 +10371,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-748 +Index: geneve-ut-0748 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -10383,7 +10383,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -10395,7 +10395,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-753 +Index: geneve-ut-0753 ```python registry where host.os.type == "windows" and @@ -10412,7 +10412,7 @@ registry where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-754 +Index: geneve-ut-0754 ```python registry where host.os.type == "windows" and @@ -10440,7 +10440,7 @@ registry where host.os.type == "windows" and Branch count: 18 Document count: 18 -Index: geneve-ut-756 +Index: geneve-ut-0756 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10455,7 +10455,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-757 +Index: geneve-ut-0757 ```python sequence with maxspan=1m @@ -10485,7 +10485,7 @@ sequence with maxspan=1m Branch count: 13 Document count: 13 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10502,7 +10502,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -10523,7 +10523,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10537,7 +10537,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10551,7 +10551,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python sequence by process.entity_id with maxspan=30s @@ -10575,7 +10575,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-763 +Index: geneve-ut-0763 ```python sequence by host.id, process.entity_id @@ -10591,7 +10591,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -10606,7 +10606,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -10625,7 +10625,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 1 Document count: 1 -Index: geneve-ut-766 +Index: geneve-ut-0766 ```python iam where event.action == "scheduled-task-created" and @@ -10638,7 +10638,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 2 -Index: geneve-ut-768 +Index: geneve-ut-0768 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -10680,7 +10680,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python sequence with maxspan=1m @@ -10703,7 +10703,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-770 +Index: geneve-ut-0770 ```python sequence with maxspan=1s @@ -10751,7 +10751,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-771 +Index: geneve-ut-0771 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10764,7 +10764,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-773 +Index: geneve-ut-0773 ```python (event.dataset: (network_traffic.http or network_traffic.tls) or @@ -10811,7 +10811,7 @@ Index: geneve-ut-773 Branch count: 4 Document count: 4 -Index: geneve-ut-774 +Index: geneve-ut-0774 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -10830,7 +10830,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 4 Document count: 4 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python (event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 @@ -10842,7 +10842,7 @@ Index: geneve-ut-776 Branch count: 6 Document count: 6 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python file where container.id:"*" and @@ -10855,7 +10855,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python process where container.id: "*" and event.type == "start" and @@ -10876,7 +10876,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python process where container.id: "*" and event.type== "start" and @@ -10890,7 +10890,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 36 Document count: 36 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10908,7 +10908,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python sequence by host.id with maxspan = 30s @@ -10927,7 +10927,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 4 -Index: geneve-ut-785 +Index: geneve-ut-0785 ```python registry where host.os.type == "windows" and @@ -10943,7 +10943,7 @@ registry where host.os.type == "windows" and Branch count: 9 Document count: 9 -Index: geneve-ut-786 +Index: geneve-ut-0786 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10958,7 +10958,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 27 Document count: 27 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -10999,7 +10999,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-788 +Index: geneve-ut-0788 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -11033,7 +11033,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-789 +Index: geneve-ut-0789 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11047,7 +11047,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-790 +Index: geneve-ut-0790 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11061,7 +11061,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 116 Document count: 116 -Index: geneve-ut-791 +Index: geneve-ut-0791 ```python process where event.type == "start" and @@ -11121,7 +11121,7 @@ process.name : "grep" and user.id != "0" and Branch count: 270 Document count: 270 -Index: geneve-ut-794 +Index: geneve-ut-0794 ```python process where container.id: "*" and event.type== "start" and @@ -11164,7 +11164,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-795 +Index: geneve-ut-0795 ```python process where container.id: "*" and event.type== "start" and @@ -11188,7 +11188,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-796 +Index: geneve-ut-0796 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -11201,7 +11201,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 16 Document count: 32 -Index: geneve-ut-797 +Index: geneve-ut-0797 ```python sequence by process.entity_id with maxspan = 1m @@ -11218,7 +11218,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-798 +Index: geneve-ut-0798 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -11238,7 +11238,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-799 +Index: geneve-ut-0799 ```python sequence by winlog.computer_name with maxspan=5m @@ -11262,7 +11262,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-800 +Index: geneve-ut-0800 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11283,7 +11283,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-801 +Index: geneve-ut-0801 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11306,7 +11306,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-802 +Index: geneve-ut-0802 ```python process where event.type == "start" and process.name : "sc.exe" and @@ -11319,7 +11319,7 @@ process where event.type == "start" and process.name : "sc.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-803 +Index: geneve-ut-0803 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11332,7 +11332,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not process.pare Branch count: 1 Document count: 1 -Index: geneve-ut-805 +Index: geneve-ut-0805 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -11344,7 +11344,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 6 Document count: 12 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python sequence by host.id with maxspan=5s @@ -11358,7 +11358,7 @@ sequence by host.id with maxspan=5s Branch count: 162 Document count: 162 -Index: geneve-ut-809 +Index: geneve-ut-0809 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -11380,7 +11380,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-810 +Index: geneve-ut-0810 ```python process where host.os.type == "windows" and event.type == "start" @@ -11394,7 +11394,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 4 Document count: 4 -Index: geneve-ut-811 +Index: geneve-ut-0811 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -11408,7 +11408,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 28 Document count: 28 -Index: geneve-ut-812 +Index: geneve-ut-0812 ```python registry where host.os.type == "windows" and registry.path : ( @@ -11432,7 +11432,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 12 Document count: 24 -Index: geneve-ut-826 +Index: geneve-ut-0826 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -11457,7 +11457,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-827 +Index: geneve-ut-0827 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11490,7 +11490,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 2 Document count: 6 -Index: geneve-ut-830 +Index: geneve-ut-0830 ```python sequence by user.name with maxspan=12h @@ -11505,7 +11505,7 @@ sequence by user.name with maxspan=12h Branch count: 4 Document count: 4 -Index: geneve-ut-831 +Index: geneve-ut-0831 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -11530,7 +11530,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-832 +Index: geneve-ut-0832 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -11545,7 +11545,7 @@ not group.Ext.real.id : "0" and not user.Ext.real.id : "0" and not process.args Branch count: 16 Document count: 16 -Index: geneve-ut-835 +Index: geneve-ut-0835 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11559,7 +11559,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-836 +Index: geneve-ut-0836 ```python event.category:process and host.os.type:windows and @@ -11585,7 +11585,7 @@ event.category:process and host.os.type:windows and Branch count: 16 Document count: 16 -Index: geneve-ut-837 +Index: geneve-ut-0837 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -11600,7 +11600,7 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en Branch count: 152 Document count: 304 -Index: geneve-ut-838 +Index: geneve-ut-0838 ```python sequence by host.id with maxspan=5s @@ -11622,7 +11622,7 @@ sequence by host.id with maxspan=5s Branch count: 8 Document count: 16 -Index: geneve-ut-839 +Index: geneve-ut-0839 ```python sequence by host.id with maxspan=5s @@ -11641,7 +11641,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-841 +Index: geneve-ut-0841 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -11653,7 +11653,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 2 Document count: 2 -Index: geneve-ut-842 +Index: geneve-ut-0842 ```python file where host.os.type == "windows" and event.type != "deletion" and file.path != null and @@ -11666,7 +11666,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path Branch count: 2 Document count: 4 -Index: geneve-ut-843 +Index: geneve-ut-0843 ```python sequence by host.id with maxspan=30s @@ -11680,7 +11680,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-844 +Index: geneve-ut-0844 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -11710,7 +11710,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-845 +Index: geneve-ut-0845 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -11734,7 +11734,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-846 +Index: geneve-ut-0846 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11748,7 +11748,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-847 +Index: geneve-ut-0847 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -11771,7 +11771,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-848 +Index: geneve-ut-0848 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11785,7 +11785,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 60 Document count: 60 -Index: geneve-ut-849 +Index: geneve-ut-0849 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12015,7 +12015,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-850 +Index: geneve-ut-0850 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -12031,7 +12031,7 @@ not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*n Branch count: 1 Document count: 1 -Index: geneve-ut-851 +Index: geneve-ut-0851 ```python file where host.os.type == "macos" and event.type != "deletion" and process.name != null and @@ -12044,7 +12044,7 @@ file where host.os.type == "macos" and event.type != "deletion" and process.name Branch count: 189 Document count: 189 -Index: geneve-ut-852 +Index: geneve-ut-0852 ```python any where host.os.type == "windows" and @@ -12077,7 +12077,7 @@ any where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -12093,7 +12093,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 44 Document count: 44 -Index: geneve-ut-855 +Index: geneve-ut-0855 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -12129,7 +12129,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-856 +Index: geneve-ut-0856 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12165,7 +12165,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-857 +Index: geneve-ut-0857 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12180,7 +12180,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and @@ -12196,7 +12196,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 14 Document count: 14 -Index: geneve-ut-862 +Index: geneve-ut-0862 ```python process where host.os.type == "windows" and event.type : "start" and @@ -12224,7 +12224,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-863 +Index: geneve-ut-0863 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12248,7 +12248,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-866 +Index: geneve-ut-0866 ```python file where event.action in ("creation", "file_create_event") and process.name : "kworker*" and not ( @@ -12263,7 +12263,7 @@ file where event.action in ("creation", "file_create_event") and process.name : Branch count: 2 Document count: 2 -Index: geneve-ut-869 +Index: geneve-ut-0869 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12276,7 +12276,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 30 Document count: 30 -Index: geneve-ut-870 +Index: geneve-ut-0870 ```python any where host.os.type == "windows" and @@ -12291,7 +12291,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-871 +Index: geneve-ut-0871 ```python registry where host.os.type == "windows" and registry.path : ( @@ -12308,7 +12308,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 6 Document count: 6 -Index: geneve-ut-873 +Index: geneve-ut-0873 ```python process where container.id: "*" and @@ -12329,7 +12329,7 @@ process.args: "*/*sh" Branch count: 1 Document count: 1 -Index: geneve-ut-876 +Index: geneve-ut-0876 ```python process where host.os.type == "linux" and event.action == "session_id_change" and process.name : "kworker*" and @@ -12342,7 +12342,7 @@ user.id == "0" Branch count: 1 Document count: 1 -Index: geneve-ut-877 +Index: geneve-ut-0877 ```python process where host.os.type == "windows" and event.code == "10" and @@ -12361,7 +12361,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 1 Document count: 1 -Index: geneve-ut-878 +Index: geneve-ut-0878 ```python process where host.os.type == "windows" and event.code == "10" and @@ -12396,7 +12396,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 52 Document count: 52 -Index: geneve-ut-880 +Index: geneve-ut-0880 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12417,7 +12417,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-881 +Index: geneve-ut-0881 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -12437,7 +12437,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 24 Document count: 24 -Index: geneve-ut-882 +Index: geneve-ut-0882 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -12450,7 +12450,7 @@ process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack Branch count: 14 Document count: 14 -Index: geneve-ut-885 +Index: geneve-ut-0885 ```python file where host.os.type == "linux" and event.type == "creation" and event.action : ("creation", "file_create_event") and @@ -12463,7 +12463,7 @@ file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.servic Branch count: 2 Document count: 2 -Index: geneve-ut-887 +Index: geneve-ut-0887 ```python library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and @@ -12542,7 +12542,7 @@ library where host.os.type == "windows" and process.executable : "?:\\Windows\\S Branch count: 2 Document count: 2 -Index: geneve-ut-889 +Index: geneve-ut-0889 ```python network where host.os.type == "linux" and event.type == "start" and @@ -12555,7 +12555,7 @@ event.action in ("connection_attempted", "ipv4_connection_attempt_event") and pr Branch count: 28 Document count: 28 -Index: geneve-ut-891 +Index: geneve-ut-0891 ```python process where container.id: "*" and event.type== "start" and @@ -12572,7 +12572,7 @@ process where container.id: "*" and event.type== "start" and Branch count: 212 Document count: 212 -Index: geneve-ut-892 +Index: geneve-ut-0892 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12596,7 +12596,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-893 +Index: geneve-ut-0893 ```python sequence by host.id, process.parent.pid with maxspan=1m @@ -12612,7 +12612,7 @@ sequence by host.id, process.parent.pid with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-894 +Index: geneve-ut-0894 ```python event.category:process and host.os.type:windows and @@ -12627,7 +12627,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-897 +Index: geneve-ut-0897 ```python file where host.os.type == "windows" and event.type : "deletion" and @@ -12641,7 +12641,7 @@ file where host.os.type == "windows" and event.type : "deletion" and Branch count: 4 Document count: 8 -Index: geneve-ut-898 +Index: geneve-ut-0898 ```python sequence by host.id with maxspan=30s @@ -12665,7 +12665,7 @@ sequence by host.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-899 +Index: geneve-ut-0899 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -12700,7 +12700,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-900 +Index: geneve-ut-0900 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -12724,7 +12724,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-904 +Index: geneve-ut-0904 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12737,7 +12737,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 180 Document count: 180 -Index: geneve-ut-905 +Index: geneve-ut-0905 ```python process where event.type == "start" and event.action : ("exec", "exec_event") and @@ -12775,7 +12775,7 @@ not ( Branch count: 48 Document count: 48 -Index: geneve-ut-906 +Index: geneve-ut-0906 ```python any where host.os.type == "windows" and @@ -12808,7 +12808,7 @@ any where host.os.type == "windows" and Branch count: 1 Document count: 2 -Index: geneve-ut-907 +Index: geneve-ut-0907 ```python sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m @@ -12826,7 +12826,7 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= Branch count: 9 Document count: 9 -Index: geneve-ut-908 +Index: geneve-ut-0908 ```python file where host.os.type == "linux" and event.action == "rename" and @@ -12840,7 +12840,7 @@ and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", Branch count: 1 Document count: 1 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and @@ -12853,7 +12853,7 @@ file.Ext.original.path : "/usr/lib/vmware/*" Branch count: 152 Document count: 152 -Index: geneve-ut-910 +Index: geneve-ut-0910 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12883,7 +12883,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-911 +Index: geneve-ut-0911 ```python any where host.os.type == "windows" and @@ -12917,7 +12917,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-913 +Index: geneve-ut-0913 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12948,7 +12948,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 10 Document count: 10 -Index: geneve-ut-914 +Index: geneve-ut-0914 ```python registry where host.os.type == "windows" and @@ -12980,7 +12980,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python process where host.os.type == "linux" and event.type == "end" and process.name in ("vmware-vmx", "vmx") @@ -12993,7 +12993,7 @@ and process.parent.name == "kill" Branch count: 160 Document count: 160 -Index: geneve-ut-919 +Index: geneve-ut-0919 ```python process where host.os.type == "windows" and event.action == "start" and @@ -13017,7 +13017,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 136 Document count: 136 -Index: geneve-ut-920 +Index: geneve-ut-0920 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -13034,7 +13034,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-921 +Index: geneve-ut-0921 ```python any where event.dataset == "windows.sysmon_operational" and event.code == "21" and @@ -13047,7 +13047,7 @@ any where event.dataset == "windows.sysmon_operational" and event.code == "21" a Branch count: 30 Document count: 30 -Index: geneve-ut-922 +Index: geneve-ut-0922 ```python any where host.os.type == "windows" and @@ -13062,7 +13062,7 @@ any where host.os.type == "windows" and Branch count: 48 Document count: 96 -Index: geneve-ut-923 +Index: geneve-ut-0923 ```python sequence by process.entity_id with maxspan = 2m @@ -13080,7 +13080,7 @@ sequence by process.entity_id with maxspan = 2m Branch count: 1 Document count: 1 -Index: geneve-ut-924 +Index: geneve-ut-0924 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13099,7 +13099,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-928 +Index: geneve-ut-0928 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13112,7 +13112,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 114 Document count: 114 -Index: geneve-ut-929 +Index: geneve-ut-0929 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13158,7 +13158,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-930 +Index: geneve-ut-0930 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -13177,7 +13177,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 8 Document count: 8 -Index: geneve-ut-932 +Index: geneve-ut-0932 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13196,7 +13196,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 992 Document count: 1984 -Index: geneve-ut-933 +Index: geneve-ut-0933 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -13234,7 +13234,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 20 Document count: 20 -Index: geneve-ut-934 +Index: geneve-ut-0934 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -13247,7 +13247,7 @@ process.name in ("vi", "nano", "cat", "more", "less") and process.args == "/etc/ Branch count: 2 Document count: 2 -Index: geneve-ut-935 +Index: geneve-ut-0935 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13261,7 +13261,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-936 +Index: geneve-ut-0936 ```python file where host.os.type == "linux" and event.type == "deletion" and @@ -13288,7 +13288,7 @@ file where host.os.type == "linux" and event.type == "deletion" and Branch count: 16 Document count: 16 -Index: geneve-ut-937 +Index: geneve-ut-0937 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -13301,7 +13301,7 @@ process.name in ("netstat", "lsof", "who", "w") Branch count: 20 Document count: 20 -Index: geneve-ut-938 +Index: geneve-ut-0938 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -13314,7 +13314,7 @@ process.name : ("whoami", "w", "who", "users", "id") Branch count: 14 Document count: 14 -Index: geneve-ut-939 +Index: geneve-ut-0939 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13333,7 +13333,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-940 +Index: geneve-ut-0940 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13350,7 +13350,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-941 +Index: geneve-ut-0941 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13370,7 +13370,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-942 +Index: geneve-ut-0942 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13383,7 +13383,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-943 +Index: geneve-ut-0943 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and @@ -13396,7 +13396,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 180 Document count: 180 -Index: geneve-ut-946 +Index: geneve-ut-0946 ```python process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and @@ -13419,7 +13419,7 @@ process where event.action in ("exec", "exec_event", "executed", "process_starte Branch count: 1 Document count: 2 -Index: geneve-ut-947 +Index: geneve-ut-0947 ```python sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m @@ -13433,7 +13433,7 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m Branch count: 30 Document count: 30 -Index: geneve-ut-948 +Index: geneve-ut-0948 ```python file where host.os.type == "windows" and event.type == "deletion" and @@ -13472,7 +13472,7 @@ file where host.os.type == "windows" and event.type == "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-953 +Index: geneve-ut-0953 ```python process where event.type == "start" and @@ -13489,7 +13489,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-954 +Index: geneve-ut-0954 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -13502,7 +13502,7 @@ process.name == "trap" and process.args : "SIG*" Branch count: 1 Document count: 1 -Index: geneve-ut-955 +Index: geneve-ut-0955 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13519,7 +13519,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-956 +Index: geneve-ut-0956 ```python file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and @@ -13535,7 +13535,7 @@ file where host.os.type == "windows" and event.type : "change" and process.name Branch count: 2 Document count: 2 -Index: geneve-ut-957 +Index: geneve-ut-0957 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13548,7 +13548,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-958 +Index: geneve-ut-0958 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and @@ -13563,7 +13563,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 1 Document count: 1 -Index: geneve-ut-959 +Index: geneve-ut-0959 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13579,7 +13579,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-960 +Index: geneve-ut-0960 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13594,7 +13594,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-961 +Index: geneve-ut-0961 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13610,7 +13610,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-963 +Index: geneve-ut-0963 ```python event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt @@ -13622,7 +13622,7 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt Branch count: 1 Document count: 1 -Index: geneve-ut-965 +Index: geneve-ut-0965 ```python process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine" @@ -13634,7 +13634,7 @@ process where host.os.type == "macos" and event.type == "start" and process.pare Branch count: 60 Document count: 60 -Index: geneve-ut-966 +Index: geneve-ut-0966 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -13652,7 +13652,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-968 +Index: geneve-ut-0968 ```python library where dll.name : "Bitsproxy.dll" and process.executable != null and @@ -13666,7 +13666,7 @@ not process.code_signature.status : ("errorExpired", "errorCode_endpoint*") Branch count: 1 Document count: 1 -Index: geneve-ut-972 +Index: geneve-ut-0972 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -13680,7 +13680,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 1 Document count: 1 -Index: geneve-ut-974 +Index: geneve-ut-0974 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13694,7 +13694,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-975 +Index: geneve-ut-0975 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and @@ -13707,7 +13707,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-976 +Index: geneve-ut-0976 ```python sequence with maxspan=1h @@ -13725,7 +13725,7 @@ sequence with maxspan=1h Branch count: 18 Document count: 18 -Index: geneve-ut-983 +Index: geneve-ut-0983 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13747,7 +13747,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 29 Document count: 29 -Index: geneve-ut-984 +Index: geneve-ut-0984 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -13820,7 +13820,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 6 Document count: 6 -Index: geneve-ut-985 +Index: geneve-ut-0985 ```python file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and @@ -13834,7 +13834,7 @@ file where host.os.type == "windows" and process.name : "dns.exe" and event.type Branch count: 400 Document count: 800 -Index: geneve-ut-998 +Index: geneve-ut-0998 ```python sequence by process.entity_id with maxspan=5m @@ -13902,7 +13902,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 1 Document count: 2 -Index: geneve-ut-999 +Index: geneve-ut-0999 ```python sequence by host.id, process.entity_id with maxspan=1m diff --git a/tests/reports/alerts_from_rules-8.11.md b/tests/reports/alerts_from_rules-8.11.md index 84d2e33c..08f65a9d 100644 --- a/tests/reports/alerts_from_rules-8.11.md +++ b/tests/reports/alerts_from_rules-8.11.md @@ -19,7 +19,7 @@ Rules version: 8.11.21 Branch count: 4608 Document count: 13824 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python sequence by host.id, user.id with maxspan=1m @@ -40,7 +40,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -59,7 +59,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -78,7 +78,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1794 Document count: 1794 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -138,7 +138,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -155,7 +155,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 4608 Document count: 4608 -Index: geneve-ut-921 +Index: geneve-ut-0921 ```python process where host.os.type == "windows" and event.type == "start" and @@ -204,7 +204,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1836 Document count: 1836 -Index: geneve-ut-975 +Index: geneve-ut-0975 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -236,7 +236,7 @@ process.name == "ln" and process.args in ("-s", "-sf") and Branch count: 2 Document count: 2 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -249,7 +249,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-440 +Index: geneve-ut-0440 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -262,7 +262,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4 Document count: 8 -Index: geneve-ut-656 +Index: geneve-ut-0656 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -282,7 +282,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4608 Document count: 13824 -Index: geneve-ut-291 +Index: geneve-ut-0291 Failure message(s): got 1000 signals, expected 4608 @@ -305,7 +305,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-622 +Index: geneve-ut-0622 Failure message(s): got 1000 signals, expected 1024 @@ -326,7 +326,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-627 +Index: geneve-ut-0627 Failure message(s): got 1000 signals, expected 1024 @@ -347,7 +347,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 6 Document count: 12 -Index: geneve-ut-680 +Index: geneve-ut-0680 Failure message(s): got 5 signals, expected 6 @@ -364,7 +364,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5s Branch count: 1794 Document count: 1794 -Index: geneve-ut-687 +Index: geneve-ut-0687 Failure message(s): got 1000 signals, expected 1794 @@ -426,7 +426,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-721 +Index: geneve-ut-0721 Failure message(s): got 1000 signals, expected 2048 @@ -445,7 +445,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 32 Document count: 64 -Index: geneve-ut-762 +Index: geneve-ut-0762 Failure message(s): got 24 signals, expected 32 @@ -470,7 +470,7 @@ sequence by host.id, process.pid with maxspan=1s Branch count: 4608 Document count: 4608 -Index: geneve-ut-921 +Index: geneve-ut-0921 Failure message(s): got 1000 signals, expected 4608 @@ -521,7 +521,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 22 -Index: geneve-ut-951 +Index: geneve-ut-0951 Failure message(s): got 8 signals, expected 11 @@ -542,7 +542,7 @@ sequence by host.id with maxspan=5s Branch count: 1836 Document count: 1836 -Index: geneve-ut-975 +Index: geneve-ut-0975 Failure message(s): got 1000 signals, expected 1836 @@ -576,7 +576,7 @@ process.name == "ln" and process.args in ("-s", "-sf") and Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -603,7 +603,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -633,7 +633,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 8 Document count: 8 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -668,7 +668,7 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-003 +Index: geneve-ut-0003 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -680,7 +680,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-0004 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success @@ -692,7 +692,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-0005 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -704,7 +704,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-0006 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -716,7 +716,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-0007 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -728,7 +728,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -740,7 +740,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -752,7 +752,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -767,7 +767,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -779,7 +779,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python process where event.module == "cloud_defend" and @@ -796,7 +796,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -809,7 +809,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -821,7 +821,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -835,7 +835,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python event.dataset: aws.cloudtrail @@ -850,7 +850,7 @@ event.dataset: aws.cloudtrail Branch count: 2 Document count: 2 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -862,7 +862,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-019 +Index: geneve-ut-0019 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -874,7 +874,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-020 +Index: geneve-ut-0020 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -886,7 +886,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-021 +Index: geneve-ut-0021 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -898,7 +898,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -911,7 +911,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -924,7 +924,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -938,7 +938,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-025 +Index: geneve-ut-0025 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -951,7 +951,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-026 +Index: geneve-ut-0026 ```python event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success @@ -963,7 +963,7 @@ event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-027 +Index: geneve-ut-0027 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -975,7 +975,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -987,7 +987,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -999,7 +999,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -1011,7 +1011,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -1023,7 +1023,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-033 +Index: geneve-ut-0033 ```python event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" @@ -1036,7 +1036,7 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -1048,7 +1048,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail @@ -1063,7 +1063,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset: aws.cloudtrail @@ -1079,7 +1079,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -1091,7 +1091,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-038 +Index: geneve-ut-0038 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -1103,7 +1103,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-039 +Index: geneve-ut-0039 ```python event.dataset: "aws.cloudtrail" @@ -1118,7 +1118,7 @@ event.dataset: "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset: aws.cloudtrail @@ -1133,7 +1133,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-043 +Index: geneve-ut-0043 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -1145,7 +1145,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-044 +Index: geneve-ut-0044 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -1157,7 +1157,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python any where event.dataset == "aws.cloudtrail" @@ -1172,7 +1172,7 @@ any where event.dataset == "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" @@ -1185,7 +1185,7 @@ event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -1197,7 +1197,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -1209,7 +1209,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -1221,7 +1221,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -1233,7 +1233,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -1245,7 +1245,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-057 +Index: geneve-ut-0057 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -1257,7 +1257,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-058 +Index: geneve-ut-0058 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -1272,7 +1272,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -1284,7 +1284,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-060 +Index: geneve-ut-0060 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -1296,7 +1296,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1309,7 +1309,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1322,7 +1322,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-063 +Index: geneve-ut-0063 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1335,7 +1335,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1350,7 +1350,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 4 Document count: 4 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or @@ -1363,7 +1363,7 @@ UpdateSAMLProvider) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1376,7 +1376,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 6 Document count: 6 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or @@ -1390,7 +1390,7 @@ RevokeSecurityGroupIngress) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumeRole and @@ -1403,7 +1403,7 @@ aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event. Branch count: 1 Document count: 1 -Index: geneve-ut-073 +Index: geneve-ut-0073 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1415,7 +1415,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1427,7 +1427,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1439,7 +1439,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-078 +Index: geneve-ut-0078 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1455,7 +1455,7 @@ Index: geneve-ut-078 Branch count: 12 Document count: 12 -Index: geneve-ut-079 +Index: geneve-ut-0079 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1500,7 +1500,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python any where event.action == "Directory Service Access" and event.code == "4662" and @@ -1535,7 +1535,7 @@ any where event.action == "Directory Service Access" and event.code == "4662" an Branch count: 4 Document count: 4 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1552,7 +1552,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-083 +Index: geneve-ut-0083 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1572,7 +1572,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-084 +Index: geneve-ut-0084 ```python sequence by winlog.computer_name with maxspan=1m @@ -1600,7 +1600,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 48 Document count: 48 -Index: geneve-ut-085 +Index: geneve-ut-0085 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -1618,7 +1618,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 1 Document count: 1 -Index: geneve-ut-086 +Index: geneve-ut-0086 ```python iam where winlog.api == "wineventlog" and event.code == "4728" and @@ -1634,7 +1634,7 @@ not group.id : "S-1-5-21-*-513" Branch count: 36 Document count: 36 -Index: geneve-ut-087 +Index: geneve-ut-0087 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1654,7 +1654,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-088 +Index: geneve-ut-0088 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1668,7 +1668,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-089 +Index: geneve-ut-0089 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -1681,7 +1681,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 1 Document count: 1 -Index: geneve-ut-091 +Index: geneve-ut-0091 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1693,7 +1693,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-092 +Index: geneve-ut-0092 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1705,7 +1705,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-093 +Index: geneve-ut-0093 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1720,7 +1720,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-094 +Index: geneve-ut-0094 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1732,7 +1732,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 2 Document count: 2 -Index: geneve-ut-095 +Index: geneve-ut-0095 ```python event.agent_id_status:(agent_id_mismatch or mismatch) @@ -1744,7 +1744,7 @@ event.agent_id_status:(agent_id_mismatch or mismatch) Branch count: 1 Document count: 2 -Index: geneve-ut-102 +Index: geneve-ut-0102 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1763,7 +1763,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1779,7 +1779,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1791,7 +1791,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1806,7 +1806,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 8 Document count: 8 -Index: geneve-ut-107 +Index: geneve-ut-0107 ```python file where host.os.type == "linux" and @@ -1836,7 +1836,7 @@ event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/* Branch count: 1 Document count: 1 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1848,7 +1848,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 4 Document count: 4 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -1861,7 +1861,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1873,7 +1873,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1885,7 +1885,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1897,7 +1897,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-113 +Index: geneve-ut-0113 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1909,7 +1909,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1921,7 +1921,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1933,7 +1933,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python event.dataset:okta.system and event.action:zone.delete @@ -1945,7 +1945,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-117 +Index: geneve-ut-0117 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -1957,7 +1957,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -1969,7 +1969,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 2 Document count: 2 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1982,7 +1982,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 34 Document count: 34 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2009,7 +2009,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2025,7 +2025,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-122 +Index: geneve-ut-0122 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2038,7 +2038,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2057,7 +2057,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2072,7 +2072,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -2084,7 +2084,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -2096,7 +2096,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -2108,7 +2108,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-128 +Index: geneve-ut-0128 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -2120,7 +2120,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-129 +Index: geneve-ut-0129 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -2139,7 +2139,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-130 +Index: geneve-ut-0130 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -2151,7 +2151,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-132 +Index: geneve-ut-0132 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -2163,7 +2163,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-133 +Index: geneve-ut-0133 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2176,7 +2176,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -2188,7 +2188,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 3 Document count: 3 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2218,7 +2218,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -2233,7 +2233,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2247,7 +2247,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python event.dataset:azure.signinlogs and @@ -2261,7 +2261,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:azure.signinlogs and @@ -2274,7 +2274,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:azure.signinlogs and @@ -2288,7 +2288,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -2301,7 +2301,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -2313,7 +2313,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -2325,7 +2325,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:azure.activitylogs and @@ -2344,7 +2344,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.dataset:azure.activitylogs and @@ -2358,7 +2358,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python event.dataset:azure.activitylogs and @@ -2376,7 +2376,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2388,7 +2388,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2403,7 +2403,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2415,7 +2415,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2428,7 +2428,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2440,7 +2440,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2452,7 +2452,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2464,7 +2464,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -2476,7 +2476,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 2 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2488,7 +2488,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2500,7 +2500,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2518,7 +2518,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2534,7 +2534,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2546,7 +2546,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2559,7 +2559,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2572,7 +2572,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-165 +Index: geneve-ut-0165 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2587,7 +2587,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2599,7 +2599,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2611,7 +2611,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2623,7 +2623,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2635,7 +2635,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-170 +Index: geneve-ut-0170 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2647,7 +2647,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-171 +Index: geneve-ut-0171 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2659,7 +2659,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-172 +Index: geneve-ut-0172 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2677,7 +2677,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and @@ -2691,7 +2691,7 @@ not process.parent.executable == "/usr/sbin/libvirtd" Branch count: 16 Document count: 16 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -2705,7 +2705,7 @@ not process.args in ("--help", "--version") Branch count: 9 Document count: 9 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python event.category:file and event.type:change and @@ -2730,7 +2730,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2745,7 +2745,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2760,7 +2760,7 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ Branch count: 13 Document count: 13 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2782,7 +2782,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python file where host.os.type == "windows" and event.action : "creation" and @@ -2811,7 +2811,7 @@ file where host.os.type == "windows" and event.action : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2829,7 +2829,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2847,7 +2847,7 @@ not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") Branch count: 24 Document count: 24 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2863,7 +2863,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2885,7 +2885,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2899,7 +2899,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -2920,7 +2920,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 12 Document count: 12 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -2940,7 +2940,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-189 +Index: geneve-ut-0189 ```python sequence by process.entity_id @@ -2963,7 +2963,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-190 +Index: geneve-ut-0190 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2980,7 +2980,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python registry where host.os.type == "windows" and @@ -3042,7 +3042,7 @@ registry where host.os.type == "windows" and Branch count: 12 Document count: 12 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python library where host.os.type == "windows" and event.action == "load" and @@ -3072,7 +3072,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 24 Document count: 24 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3097,7 +3097,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python sequence by process.entity_id @@ -3118,7 +3118,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python sequence by process.entity_id @@ -3139,7 +3139,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python process where container.id: "*" and event.type== "start" @@ -3152,7 +3152,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python event.kind:alert and event.module:cloud_defend @@ -3164,7 +3164,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 24 Document count: 24 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3190,7 +3190,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3210,7 +3210,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -3223,7 +3223,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and @@ -3236,7 +3236,7 @@ not process.name == "dockerd" Branch count: 2 Document count: 2 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and @@ -3251,7 +3251,7 @@ file.extension == "ko" and not process.name : ( Branch count: 1 Document count: 1 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -3268,7 +3268,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python any where host.os.type == "windows" and event.action == "Directory Service Changes" and @@ -3282,7 +3282,7 @@ any where host.os.type == "windows" and event.action == "Directory Service Chang Branch count: 2 Document count: 2 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python registry where host.os.type == "windows" and registry.path : ( @@ -3297,7 +3297,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 2 Document count: 2 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -3309,7 +3309,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 16 Document count: 16 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -3352,7 +3352,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 2 Document count: 2 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -3367,7 +3367,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 8 Document count: 8 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3382,7 +3382,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3394,7 +3394,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3406,7 +3406,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3418,7 +3418,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-217 +Index: geneve-ut-0217 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3430,7 +3430,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 80 Document count: 80 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python file where host.os.type == "linux" and @@ -3464,7 +3464,7 @@ event.action in ("rename", "creation") and file.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -3476,7 +3476,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python event.dataset:cyberarkpas.audit and @@ -3491,7 +3491,7 @@ event.dataset:cyberarkpas.audit and Branch count: 16 Document count: 16 -Index: geneve-ut-221 +Index: geneve-ut-0221 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -3522,7 +3522,7 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* Branch count: 3 Document count: 3 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python registry where host.os.type == "windows" and event.type : "change" and @@ -3538,7 +3538,7 @@ registry where host.os.type == "windows" and event.type : "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -3556,7 +3556,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 9 Document count: 9 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -3571,7 +3571,7 @@ Index: geneve-ut-225 Branch count: 2 Document count: 2 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3585,7 +3585,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3599,7 +3599,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3621,7 +3621,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-231 +Index: geneve-ut-0231 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3638,7 +3638,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3660,7 +3660,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3677,7 +3677,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3692,7 +3692,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3704,7 +3704,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3717,7 +3717,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3729,7 +3729,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 10 Document count: 20 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python sequence by process.entity_id with maxspan=1m @@ -3747,7 +3747,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 12 Document count: 12 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3760,7 +3760,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 108 Document count: 108 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3775,7 +3775,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 12 Document count: 12 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3789,7 +3789,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 2 Document count: 2 -Index: geneve-ut-246 +Index: geneve-ut-0246 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -3801,7 +3801,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 201 Document count: 201 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python process where @@ -3832,7 +3832,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3845,7 +3845,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3859,7 +3859,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python registry where host.os.type == "windows" and @@ -3873,7 +3873,7 @@ registry where host.os.type == "windows" and Branch count: 14 Document count: 14 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3904,7 +3904,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -3916,7 +3916,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 3 Document count: 3 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.dataset:(azure.activitylogs or azure.signinlogs) @@ -3933,7 +3933,7 @@ event.dataset:(azure.activitylogs or azure.signinlogs) Branch count: 2 Document count: 2 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3947,7 +3947,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3966,7 +3966,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3993,7 +3993,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 276 Document count: 276 -Index: geneve-ut-261 +Index: geneve-ut-0261 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -4024,7 +4024,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python event.category:process and host.os.type:windows and @@ -4044,7 +4044,7 @@ event.category:process and host.os.type:windows and Branch count: 360 Document count: 360 -Index: geneve-ut-263 +Index: geneve-ut-0263 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4073,7 +4073,7 @@ process.args : ( Branch count: 64 Document count: 64 -Index: geneve-ut-265 +Index: geneve-ut-0265 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -4101,7 +4101,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4114,7 +4114,7 @@ process.name : ("kworker*", "kthread*") and process.executable != null Branch count: 4 Document count: 8 -Index: geneve-ut-268 +Index: geneve-ut-0268 ```python sequence by process.entity_id with maxspan=5m @@ -4134,7 +4134,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 4 Document count: 4 -Index: geneve-ut-269 +Index: geneve-ut-0269 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4153,7 +4153,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 48 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python sequence with maxspan=2h @@ -4178,7 +4178,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python sequence with maxspan=2h @@ -4203,7 +4203,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -4232,7 +4232,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -4244,7 +4244,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-276 +Index: geneve-ut-0276 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -4267,7 +4267,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-277 +Index: geneve-ut-0277 ```python sequence by user.id with maxspan=5s @@ -4282,7 +4282,7 @@ sequence by user.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -4294,7 +4294,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 2 Document count: 2 -Index: geneve-ut-279 +Index: geneve-ut-0279 ```python process where host.os.type == "windows" and event.type : "start" and @@ -4316,7 +4316,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-280 +Index: geneve-ut-0280 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -4328,7 +4328,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4342,7 +4342,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -4355,7 +4355,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4367,7 +4367,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4379,7 +4379,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-285 +Index: geneve-ut-0285 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4393,7 +4393,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -4405,7 +4405,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 1 Document count: 1 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python file where host.os.type == "windows" and event.code : "2" and @@ -4437,7 +4437,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 4 Document count: 4 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( @@ -4451,7 +4451,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 20 Document count: 20 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -4467,7 +4467,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -4482,7 +4482,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python process where event.module == "cloud_defend" and @@ -4497,7 +4497,7 @@ process where event.module == "cloud_defend" and Branch count: 375 Document count: 750 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python sequence by process.entity_id @@ -4524,7 +4524,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4545,7 +4545,7 @@ not ( Branch count: 2 Document count: 2 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python process where host.os.type == "linux" and event.type == "start" and user.id == "0" and @@ -4560,7 +4560,7 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " Branch count: 11 Document count: 11 -Index: geneve-ut-300 +Index: geneve-ut-0300 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4586,7 +4586,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-302 +Index: geneve-ut-0302 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4616,7 +4616,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python event.dataset: google_workspace.alert @@ -4628,7 +4628,7 @@ event.dataset: google_workspace.alert Branch count: 8 Document count: 8 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python registry where host.os.type == "windows" and @@ -4646,7 +4646,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4658,7 +4658,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4670,7 +4670,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4682,7 +4682,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4694,7 +4694,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -4706,7 +4706,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -4718,7 +4718,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -4730,7 +4730,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -4742,7 +4742,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -4754,7 +4754,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -4766,7 +4766,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-332 +Index: geneve-ut-0332 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -4778,7 +4778,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-333 +Index: geneve-ut-0333 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -4790,7 +4790,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-334 +Index: geneve-ut-0334 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -4802,7 +4802,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -4814,7 +4814,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -4826,7 +4826,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -4838,7 +4838,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -4850,7 +4850,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -4862,7 +4862,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-340 +Index: geneve-ut-0340 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -4874,7 +4874,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -4886,7 +4886,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -4898,7 +4898,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -4910,7 +4910,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -4922,7 +4922,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 575 Document count: 575 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ( @@ -4946,7 +4946,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and @@ -4974,7 +4974,7 @@ file.extension == null and process.executable != null and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-347 +Index: geneve-ut-0347 ```python configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" @@ -4986,7 +4986,7 @@ configuration where event.dataset == "github.audit" and github.category == "inte Branch count: 1 Document count: 1 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -4998,7 +4998,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-349 +Index: geneve-ut-0349 ```python configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" @@ -5010,7 +5010,7 @@ configuration where event.dataset == "github.audit" and event.action == "persona Branch count: 1 Document count: 1 -Index: geneve-ut-350 +Index: geneve-ut-0350 ```python configuration where event.dataset == "github.audit" @@ -5023,7 +5023,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-351 +Index: geneve-ut-0351 ```python configuration where event.dataset == "github.audit" and event.action == "repo.create" @@ -5035,7 +5035,7 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr Branch count: 1 Document count: 1 -Index: geneve-ut-352 +Index: geneve-ut-0352 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -5047,7 +5047,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-354 +Index: geneve-ut-0354 ```python configuration where event.dataset == "github.audit" and event.action == "org.block_user" @@ -5059,7 +5059,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.blo Branch count: 1 Document count: 1 -Index: geneve-ut-355 +Index: geneve-ut-0355 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -5072,7 +5072,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-356 +Index: geneve-ut-0356 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -5084,7 +5084,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-357 +Index: geneve-ut-0357 ```python event.dataset:google_workspace.admin @@ -5100,7 +5100,7 @@ event.dataset:google_workspace.admin Branch count: 1 Document count: 1 -Index: geneve-ut-358 +Index: geneve-ut-0358 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -5113,7 +5113,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-359 +Index: geneve-ut-0359 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -5125,7 +5125,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-360 +Index: geneve-ut-0360 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5138,7 +5138,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-361 +Index: geneve-ut-0361 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -5150,7 +5150,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-362 +Index: geneve-ut-0362 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -5163,7 +5163,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-363 +Index: geneve-ut-0363 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -5180,7 +5180,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-364 +Index: geneve-ut-0364 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -5194,7 +5194,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-365 +Index: geneve-ut-0365 ```python sequence by source.user.email with maxspan=3m @@ -5218,7 +5218,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-366 +Index: geneve-ut-0366 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -5239,7 +5239,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-367 +Index: geneve-ut-0367 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5253,7 +5253,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-368 +Index: geneve-ut-0368 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -5265,7 +5265,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -5277,7 +5277,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -5290,7 +5290,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5303,7 +5303,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python file where event.type == "creation" and process.name == "chflags" @@ -5315,7 +5315,7 @@ file where event.type == "creation" and process.name == "chflags" Branch count: 1 Document count: 2 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python sequence by process.entity_id with maxspan=5m @@ -5332,7 +5332,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python any where @@ -5361,7 +5361,7 @@ any where Branch count: 12 Document count: 12 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5374,7 +5374,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5389,7 +5389,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -5401,7 +5401,7 @@ Index: geneve-ut-386 Branch count: 8 Document count: 8 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5418,7 +5418,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python sequence with maxspan=1m @@ -5437,7 +5437,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python sequence by host.id with maxspan=1m @@ -5455,7 +5455,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python sequence by host.id with maxspan=5s @@ -5474,7 +5474,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python sequence by host.id with maxspan = 30s @@ -5490,7 +5490,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python sequence by host.id with maxspan=30s @@ -5506,7 +5506,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5519,7 +5519,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python event.dataset: "aws.cloudtrail" @@ -5537,7 +5537,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5550,7 +5550,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -5566,7 +5566,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5585,7 +5585,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 4 Document count: 4 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python registry where host.os.type == "windows" and @@ -5604,7 +5604,7 @@ registry where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python process where container.id : "*" and event.type== "start" and @@ -5625,7 +5625,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -5638,7 +5638,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -5656,7 +5656,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python event.action:modified-user-account and event.code:4738 and @@ -5669,7 +5669,7 @@ event.action:modified-user-account and event.code:4738 and Branch count: 2 Document count: 2 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -5683,7 +5683,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -5742,7 +5742,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -5755,7 +5755,7 @@ auditd.data.syscall in ("init_module", "finit_module") Branch count: 2 Document count: 2 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -5768,7 +5768,7 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" Branch count: 24 Document count: 24 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5781,7 +5781,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" @@ -5793,7 +5793,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 22 Document count: 22 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -5807,7 +5807,7 @@ process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh Branch count: 28 Document count: 28 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python process where host.os.type == "macos" and event.action == "exec" and @@ -5823,7 +5823,7 @@ process where host.os.type == "macos" and event.action == "exec" and Branch count: 1 Document count: 1 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -5835,7 +5835,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python event.dataset:kubernetes.audit_logs @@ -5850,7 +5850,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python event.dataset: "kubernetes.audit_logs" @@ -5864,7 +5864,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python event.dataset : "kubernetes.audit_logs" @@ -5880,7 +5880,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-422 +Index: geneve-ut-0422 ```python event.dataset : "kubernetes.audit_logs" @@ -5897,7 +5897,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python event.dataset : "kubernetes.audit_logs" @@ -5914,7 +5914,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-424 +Index: geneve-ut-0424 ```python event.dataset : "kubernetes.audit_logs" @@ -5931,7 +5931,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python event.dataset : "kubernetes.audit_logs" @@ -5964,7 +5964,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python event.dataset : "kubernetes.audit_logs" @@ -5981,7 +5981,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-427 +Index: geneve-ut-0427 ```python event.dataset : "kubernetes.audit_logs" @@ -5998,7 +5998,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-428 +Index: geneve-ut-0428 ```python event.dataset : "kubernetes.audit_logs" @@ -6015,7 +6015,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-429 +Index: geneve-ut-0429 ```python event.dataset : "kubernetes.audit_logs" @@ -6031,7 +6031,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-430 +Index: geneve-ut-0430 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -6064,7 +6064,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-431 +Index: geneve-ut-0431 ```python any where event.action == "File System" and event.code == "4656" and @@ -6099,7 +6099,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-432 +Index: geneve-ut-0432 ```python api where host.os.type == "windows" and @@ -6163,7 +6163,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-433 +Index: geneve-ut-0433 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6181,7 +6181,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-434 +Index: geneve-ut-0434 ```python sequence by host.id with maxspan=1m @@ -6197,7 +6197,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python sequence by host.id with maxspan=1m @@ -6211,7 +6211,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6226,7 +6226,7 @@ process.args != "1" Branch count: 609 Document count: 609 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python process where host.os.type == "linux" and event.type == "start" and @@ -6288,7 +6288,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 64 Document count: 64 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -6304,7 +6304,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 240 Document count: 240 -Index: geneve-ut-441 +Index: geneve-ut-0441 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6324,7 +6324,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python registry where host.os.type == "windows" and registry.path : ( @@ -6340,7 +6340,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 600 Document count: 1200 -Index: geneve-ut-444 +Index: geneve-ut-0444 ```python sequence with maxspan=1m @@ -6365,7 +6365,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -6377,7 +6377,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 96 Document count: 96 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -6401,7 +6401,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 84 Document count: 168 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python sequence by host.id with maxspan=15s @@ -6415,7 +6415,7 @@ sequence by host.id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com @@ -6427,7 +6427,7 @@ ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.c Branch count: 1 Document count: 1 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com @@ -6439,7 +6439,7 @@ ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmclo Branch count: 2 Document count: 2 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") @@ -6451,7 +6451,7 @@ process where (problemchild.prediction == 1 or blocklist_label == 1) and not pro Branch count: 2 Document count: 2 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6463,7 +6463,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6475,7 +6475,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python configuration where event.dataset == "github.audit" and event.action == "org.remove_member" @@ -6487,7 +6487,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.rem Branch count: 8 Document count: 8 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -6519,7 +6519,7 @@ file.path : "/etc/update-motd.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -6531,7 +6531,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -6543,7 +6543,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -6555,7 +6555,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-463 +Index: geneve-ut-0463 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -6567,7 +6567,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -6579,7 +6579,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -6591,7 +6591,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -6603,7 +6603,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -6615,7 +6615,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -6627,7 +6627,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -6639,7 +6639,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -6651,7 +6651,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -6664,7 +6664,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -6683,7 +6683,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-473 +Index: geneve-ut-0473 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -6695,7 +6695,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -6710,7 +6710,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -6724,7 +6724,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -6738,7 +6738,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -6750,7 +6750,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -6762,7 +6762,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6776,7 +6776,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6797,7 +6797,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6811,7 +6811,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6834,7 +6834,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -6859,7 +6859,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python event.category: "process" and host.os.type:windows and @@ -6883,7 +6883,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6898,7 +6898,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6912,7 +6912,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6926,7 +6926,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-490 +Index: geneve-ut-0490 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6940,7 +6940,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 30 Document count: 30 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6986,7 +6986,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 1 Document count: 1 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -6998,7 +6998,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 12 Document count: 12 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -7016,7 +7016,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 4 Document count: 4 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7033,7 +7033,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -7045,7 +7045,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 2 Document count: 2 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7071,7 +7071,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-498 +Index: geneve-ut-0498 ```python event.category:file and host.os.type:linux and event.type:change and @@ -7090,7 +7090,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7112,7 +7112,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 16 Document count: 16 -Index: geneve-ut-501 +Index: geneve-ut-0501 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -7129,7 +7129,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 1 Document count: 1 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -7143,7 +7143,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 2 Document count: 2 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -7155,7 +7155,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 2 Document count: 2 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7178,7 +7178,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python process where event.module == "cloud_defend" and event.type== "start" and @@ -7191,7 +7191,7 @@ process where event.module == "cloud_defend" and event.type== "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7210,7 +7210,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-507 +Index: geneve-ut-0507 ```python sequence by process.entity_id @@ -7226,7 +7226,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-508 +Index: geneve-ut-0508 ```python sequence by process.entity_id with maxspan=10m @@ -7244,7 +7244,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-509 +Index: geneve-ut-0509 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -7256,7 +7256,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-512 +Index: geneve-ut-0512 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -7282,7 +7282,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -7308,7 +7308,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -7332,7 +7332,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 2 Document count: 2 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7346,7 +7346,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 210 Document count: 210 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7365,7 +7365,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -7380,7 +7380,7 @@ not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox- Branch count: 560 Document count: 560 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python process where container.id: "*" and event.type== "start" @@ -7403,7 +7403,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 10 Document count: 10 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7417,7 +7417,7 @@ process.args : "*l*" and process.args_count >= 4 Branch count: 2 Document count: 2 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7433,7 +7433,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -7456,7 +7456,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 2 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python sequence by host.id with maxspan=1s @@ -7480,7 +7480,7 @@ sequence by host.id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -7499,7 +7499,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python sequence by process.entity_id @@ -7519,7 +7519,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-530 +Index: geneve-ut-0530 ```python sequence by process.entity_id @@ -7538,7 +7538,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-531 +Index: geneve-ut-0531 ```python sequence by host.id with maxspan=1m @@ -7556,7 +7556,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python sequence by process.entity_id @@ -7581,7 +7581,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python sequence by process.entity_id @@ -7603,7 +7603,7 @@ sequence by process.entity_id Branch count: 2 Document count: 4 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -7622,7 +7622,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python registry where host.os.type == "windows" and registry.data.strings : "?*" and @@ -7651,7 +7651,7 @@ registry where host.os.type == "windows" and registry.data.strings : "?*" and Branch count: 2 Document count: 2 -Index: geneve-ut-538 +Index: geneve-ut-0538 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -7667,7 +7667,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-539 +Index: geneve-ut-0539 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7680,7 +7680,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -7692,7 +7692,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -7704,7 +7704,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 1 Document count: 1 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* @@ -7716,7 +7716,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* Branch count: 1 Document count: 1 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" @@ -7728,7 +7728,7 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and Branch count: 1 Document count: 1 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python configuration where event.dataset == "github.audit" and event.action == "org.add_member" @@ -7740,7 +7740,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.add Branch count: 6 Document count: 6 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -7754,7 +7754,7 @@ event.outcome:success Branch count: 4 Document count: 4 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -7767,7 +7767,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -7779,7 +7779,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -7793,7 +7793,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -7805,7 +7805,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -7818,7 +7818,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-554 +Index: geneve-ut-0554 ```python event.dataset:okta.system and event.category:authentication and @@ -7831,7 +7831,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 10 Document count: 10 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and @@ -7854,7 +7854,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/ Branch count: 2 Document count: 2 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -7866,7 +7866,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-557 +Index: geneve-ut-0557 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -7878,7 +7878,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-559 +Index: geneve-ut-0559 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -7890,7 +7890,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 36 Document count: 72 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -7905,7 +7905,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7919,7 +7919,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -7931,7 +7931,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -7943,7 +7943,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7961,7 +7961,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -7974,7 +7974,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -7989,7 +7989,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 11 Document count: 11 -Index: geneve-ut-568 +Index: geneve-ut-0568 ```python process where host.os.type == "macos" and event.type : "start" and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and @@ -8002,7 +8002,7 @@ process where host.os.type == "macos" and event.type : "start" and process.name Branch count: 12 Document count: 12 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python /* Registry Path ends with backslash */ @@ -8027,7 +8027,7 @@ registry where host.os.type == "windows" and /* length(registry.data.strings) > Branch count: 32 Document count: 32 -Index: geneve-ut-570 +Index: geneve-ut-0570 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -8053,7 +8053,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-571 +Index: geneve-ut-0571 ```python process where host.os.type == "macos" and event.type == "start" and @@ -8073,7 +8073,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-572 +Index: geneve-ut-0572 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8092,7 +8092,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8105,7 +8105,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8121,7 +8121,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-575 +Index: geneve-ut-0575 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8147,7 +8147,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-576 +Index: geneve-ut-0576 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8166,7 +8166,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-577 +Index: geneve-ut-0577 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8194,7 +8194,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-578 +Index: geneve-ut-0578 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8209,7 +8209,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python registry where host.os.type == "windows" and @@ -8272,7 +8272,7 @@ registry where host.os.type == "windows" and Branch count: 3 Document count: 3 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python registry where host.os.type == "windows" and registry.path : ( @@ -8288,7 +8288,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -8306,7 +8306,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -8318,7 +8318,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 16 Document count: 16 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8335,7 +8335,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -8350,7 +8350,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 16 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by host.id, process.parent.entity_id with maxspan=5m @@ -8367,7 +8367,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-591 +Index: geneve-ut-0591 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "fork", "fork_event") and @@ -8383,7 +8383,7 @@ user.name == "postgres" and ( Branch count: 2 Document count: 6 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python sequence by host.id, user.name with maxspan = 5s @@ -8412,7 +8412,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8425,7 +8425,7 @@ event.type == "change" and file.name : "notify_on_release" Branch count: 1 Document count: 1 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8438,7 +8438,7 @@ event.type == "change" and file.name : "release_agent" Branch count: 63 Document count: 63 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python process where event.type in ("start", "process_started", "info") and @@ -8462,7 +8462,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 12 Document count: 12 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python any where event.action : ("Directory Service Access", "object-operation-performed") and @@ -8497,7 +8497,7 @@ any where event.action : ("Directory Service Access", "object-operation-performe Branch count: 1 Document count: 1 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python process where host.os.type == "windows" and event.code == "10" and @@ -8515,7 +8515,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python process where host.os.type == "windows" and event.code == "10" and @@ -8538,7 +8538,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -8592,7 +8592,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python sequence by process.entity_id with maxspan=1m @@ -8610,7 +8610,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-601 +Index: geneve-ut-0601 ```python sequence by process.entity_id @@ -8625,7 +8625,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python any where processor.name == "transaction" and @@ -8639,7 +8639,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8660,7 +8660,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8681,7 +8681,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-612 +Index: geneve-ut-0612 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8694,7 +8694,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8707,7 +8707,7 @@ process.parent.name == "proot" Branch count: 8 Document count: 8 -Index: geneve-ut-614 +Index: geneve-ut-0614 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8723,7 +8723,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8736,7 +8736,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 4 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python sequence by process.entity_id with maxspan=3m @@ -8760,7 +8760,7 @@ sequence by process.entity_id with maxspan=3m Branch count: 6 Document count: 6 -Index: geneve-ut-617 +Index: geneve-ut-0617 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8785,7 +8785,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and @@ -8798,7 +8798,7 @@ process.parent.args == "/etc/rc.local" and process.parent.args == "start" Branch count: 1 Document count: 4 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python sequence by host.id, user.id with maxspan=1s @@ -8816,7 +8816,7 @@ sequence by host.id, user.id with maxspan=1s Branch count: 204 Document count: 204 -Index: geneve-ut-623 +Index: geneve-ut-0623 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8834,7 +8834,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8847,7 +8847,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8860,7 +8860,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8874,7 +8874,7 @@ process.args : "*hidepid=2*" Branch count: 60 Document count: 120 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python sequence by host.id with maxspan=1m @@ -8910,7 +8910,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python event.category:process and host.os.type:macos and event.type:start and @@ -8923,7 +8923,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8941,7 +8941,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -8955,7 +8955,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python sequence by host.id with maxspan=30s @@ -8974,7 +8974,7 @@ sequence by host.id with maxspan=30s Branch count: 4 Document count: 4 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8987,7 +8987,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 3 Document count: 6 -Index: geneve-ut-636 +Index: geneve-ut-0636 ```python sequence by host.id, process.parent.name with maxspan=1m @@ -9003,7 +9003,7 @@ sequence by host.id, process.parent.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9016,7 +9016,7 @@ process.name == "unshadow" and process.args_count >= 3 Branch count: 156 Document count: 156 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9044,7 +9044,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 10 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -9062,7 +9062,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 72 Document count: 72 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9076,7 +9076,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 458 Document count: 458 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9104,7 +9104,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9123,7 +9123,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python process where host.os.type == "windows" and @@ -9261,7 +9261,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python process where host.os.type == "windows" and @@ -9332,7 +9332,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python library where host.os.type == "windows" and event.action == "load" and @@ -9349,7 +9349,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 12 Document count: 12 -Index: geneve-ut-650 +Index: geneve-ut-0650 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9366,7 +9366,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -9378,7 +9378,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-653 +Index: geneve-ut-0653 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9419,7 +9419,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-658 +Index: geneve-ut-0658 ```python network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( @@ -9433,7 +9433,7 @@ network where process.name : ("http", "https") and destination.port not in (80, Branch count: 2 Document count: 4 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python sequence by process.entity_id with maxspan=1m @@ -9453,7 +9453,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -9494,7 +9494,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 2 Document count: 2 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python network where host.os.type == "windows" and @@ -9520,7 +9520,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -9533,7 +9533,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 83 Document count: 83 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and @@ -9603,7 +9603,7 @@ file.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -9617,7 +9617,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -9630,7 +9630,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -9652,7 +9652,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 8 Document count: 8 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -9672,7 +9672,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 46 Document count: 46 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python host.os.type:windows and event.category:process and @@ -9709,7 +9709,7 @@ host.os.type:windows and event.category:process and Branch count: 696 Document count: 696 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python event.category:process and host.os.type:windows and @@ -9905,7 +9905,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-675 +Index: geneve-ut-0675 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -9921,7 +9921,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -9935,7 +9935,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -9952,7 +9952,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-678 +Index: geneve-ut-0678 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -9966,7 +9966,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-679 +Index: geneve-ut-0679 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -9982,7 +9982,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -9998,7 +9998,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-684 +Index: geneve-ut-0684 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -10010,7 +10010,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -10026,7 +10026,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python sequence by host.id with maxspan=1m @@ -10046,7 +10046,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-688 +Index: geneve-ut-0688 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -10058,7 +10058,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python iam where event.action == "renamed-user-account" and @@ -10072,7 +10072,7 @@ iam where event.action == "renamed-user-account" and Branch count: 18 Document count: 18 -Index: geneve-ut-691 +Index: geneve-ut-0691 ```python process where host.os.type == "windows" and event.action == "start" and @@ -10095,7 +10095,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -10115,7 +10115,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-695 +Index: geneve-ut-0695 ```python process where host.os.type == "linux" and event.type == "start" and @@ -10128,7 +10128,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-700 +Index: geneve-ut-0700 ```python file where host.os.type == "windows" and @@ -10143,7 +10143,7 @@ file where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python /* Identifies the modification of RDP Shadow registry or @@ -10170,7 +10170,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10185,7 +10185,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python sequence with maxspan=1m @@ -10227,7 +10227,7 @@ sequence with maxspan=1m Branch count: 864 Document count: 1728 -Index: geneve-ut-704 +Index: geneve-ut-0704 ```python sequence by host.id with maxspan=5s @@ -10247,7 +10247,7 @@ sequence by host.id with maxspan=5s Branch count: 80 Document count: 80 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python process where event.type in ("start", "process_started") and @@ -10268,7 +10268,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 32 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10282,7 +10282,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 432 Document count: 864 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -10302,7 +10302,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 288 Document count: 576 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python sequence by host.id with maxspan=5s @@ -10331,7 +10331,7 @@ sequence by host.id with maxspan=5s Branch count: 40 Document count: 40 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10347,7 +10347,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -10359,7 +10359,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 1 Document count: 1 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -10373,7 +10373,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 32 Document count: 96 -Index: geneve-ut-717 +Index: geneve-ut-0717 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -10401,7 +10401,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python sequence by host.id with maxspan=1s @@ -10420,7 +10420,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 8 -Index: geneve-ut-722 +Index: geneve-ut-0722 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -10449,7 +10449,7 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( Branch count: 4 Document count: 4 -Index: geneve-ut-723 +Index: geneve-ut-0723 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10462,7 +10462,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -10478,7 +10478,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 2 Document count: 2 -Index: geneve-ut-726 +Index: geneve-ut-0726 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10492,7 +10492,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-727 +Index: geneve-ut-0727 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -10522,7 +10522,7 @@ file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10535,7 +10535,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-729 +Index: geneve-ut-0729 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -10551,7 +10551,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-730 +Index: geneve-ut-0730 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10568,7 +10568,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python any where host.os.type == "windows" and event.action == "Directory Service Changes" and @@ -10581,7 +10581,7 @@ any where host.os.type == "windows" and event.action == "Directory Service Chang Branch count: 8 Document count: 16 -Index: geneve-ut-732 +Index: geneve-ut-0732 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -10597,7 +10597,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python file where host.os.type == "windows" and @@ -10611,7 +10611,7 @@ file where host.os.type == "windows" and Branch count: 4 Document count: 16 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python sequence by okta.actor.id with maxspan=10m @@ -10631,7 +10631,7 @@ sequence by okta.actor.id with maxspan=10m Branch count: 80 Document count: 80 -Index: geneve-ut-738 +Index: geneve-ut-0738 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10647,7 +10647,7 @@ process.parent.name in ("screen", "tmux") and process.name : ( Branch count: 21 Document count: 21 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python event.category:process and host.os.type:windows and @@ -10672,7 +10672,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python event.category:process and host.os.type:windows and @@ -10691,7 +10691,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python event.category:process and host.os.type:windows and @@ -10714,7 +10714,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-744 +Index: geneve-ut-0744 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -10726,7 +10726,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python event.category:process and host.os.type:windows and @@ -10751,7 +10751,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10767,7 +10767,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-757 +Index: geneve-ut-0757 ```python event.category:process and host.os.type:windows and @@ -10806,7 +10806,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 8 -Index: geneve-ut-763 +Index: geneve-ut-0763 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -10824,7 +10824,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 2 Document count: 4 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=1m @@ -10841,7 +10841,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=1m Branch count: 4 Document count: 4 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10855,7 +10855,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-766 +Index: geneve-ut-0766 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -10869,7 +10869,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -10882,7 +10882,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 426 Document count: 426 -Index: geneve-ut-768 +Index: geneve-ut-0768 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -10925,7 +10925,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python registry where host.os.type == "windows" and registry.path : ( @@ -10945,7 +10945,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-770 +Index: geneve-ut-0770 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -10962,7 +10962,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-772 +Index: geneve-ut-0772 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10976,7 +10976,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-773 +Index: geneve-ut-0773 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10990,7 +10990,7 @@ user.id != "0" Branch count: 2 Document count: 2 -Index: geneve-ut-774 +Index: geneve-ut-0774 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11007,7 +11007,7 @@ process.name == "setcap" and not ( Branch count: 96 Document count: 96 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -11082,7 +11082,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-777 +Index: geneve-ut-0777 ```python sequence by winlog.computer_name with maxspan=1m @@ -11103,7 +11103,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11122,7 +11122,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( @@ -11137,7 +11137,7 @@ not process.parent.name in ("amazon-ssm-agent", "snap") Branch count: 66 Document count: 66 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11192,7 +11192,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11204,7 +11204,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11216,7 +11216,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" @@ -11228,7 +11228,7 @@ process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemote Branch count: 114 Document count: 114 -Index: geneve-ut-784 +Index: geneve-ut-0784 ```python process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and @@ -11271,7 +11271,7 @@ not ( Branch count: 3 Document count: 6 -Index: geneve-ut-786 +Index: geneve-ut-0786 ```python sequence by host.id with maxspan=5s @@ -11303,7 +11303,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 4 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -11316,7 +11316,7 @@ process.name : "* " Branch count: 1 Document count: 1 -Index: geneve-ut-788 +Index: geneve-ut-0788 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11338,7 +11338,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-789 +Index: geneve-ut-0789 ```python process where event.action == "exec" and host.os.type == "macos" and @@ -11358,7 +11358,7 @@ process where event.action == "exec" and host.os.type == "macos" and Branch count: 4 Document count: 4 -Index: geneve-ut-790 +Index: geneve-ut-0790 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11371,7 +11371,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-791 +Index: geneve-ut-0791 ```python sequence by process.entity_id @@ -11395,7 +11395,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-792 +Index: geneve-ut-0792 ```python file where event.action == "extended_attributes_delete" and host.os.type == "macos" and process.executable != null and @@ -11414,7 +11414,7 @@ file.path : "/private/var/folders/*" Branch count: 4 Document count: 4 -Index: geneve-ut-795 +Index: geneve-ut-0795 ```python registry where host.os.type == "windows" and @@ -11435,7 +11435,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-798 +Index: geneve-ut-0798 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -11447,7 +11447,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-799 +Index: geneve-ut-0799 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -11459,7 +11459,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 3 Document count: 3 -Index: geneve-ut-805 +Index: geneve-ut-0805 ```python registry where host.os.type == "windows" and @@ -11477,7 +11477,7 @@ registry where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python registry where host.os.type == "windows" and @@ -11505,7 +11505,7 @@ registry where host.os.type == "windows" and Branch count: 18 Document count: 18 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11520,7 +11520,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-809 +Index: geneve-ut-0809 ```python sequence with maxspan=1m @@ -11550,7 +11550,7 @@ sequence with maxspan=1m Branch count: 13 Document count: 13 -Index: geneve-ut-810 +Index: geneve-ut-0810 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11567,7 +11567,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-811 +Index: geneve-ut-0811 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -11588,7 +11588,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-812 +Index: geneve-ut-0812 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11602,7 +11602,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-813 +Index: geneve-ut-0813 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11616,7 +11616,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-814 +Index: geneve-ut-0814 ```python sequence by process.entity_id with maxspan=30s @@ -11640,7 +11640,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-815 +Index: geneve-ut-0815 ```python sequence by host.id, process.entity_id @@ -11656,7 +11656,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-816 +Index: geneve-ut-0816 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -11671,7 +11671,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-817 +Index: geneve-ut-0817 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -11690,7 +11690,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 1 Document count: 1 -Index: geneve-ut-818 +Index: geneve-ut-0818 ```python iam where event.action == "scheduled-task-created" and @@ -11703,7 +11703,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 2 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -11745,7 +11745,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python sequence with maxspan=1m @@ -11768,7 +11768,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python sequence with maxspan=1s @@ -11816,7 +11816,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-823 +Index: geneve-ut-0823 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11829,7 +11829,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-825 +Index: geneve-ut-0825 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=30s @@ -11846,7 +11846,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=30s Branch count: 48 Document count: 48 -Index: geneve-ut-826 +Index: geneve-ut-0826 ```python (event.dataset: (network_traffic.http or network_traffic.tls) or @@ -11893,7 +11893,7 @@ Index: geneve-ut-826 Branch count: 1 Document count: 1 -Index: geneve-ut-827 +Index: geneve-ut-0827 ```python event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com @@ -11906,7 +11906,7 @@ event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com Branch count: 4 Document count: 4 -Index: geneve-ut-828 +Index: geneve-ut-0828 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -11925,7 +11925,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 4 Document count: 4 -Index: geneve-ut-830 +Index: geneve-ut-0830 ```python (event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 @@ -11937,7 +11937,7 @@ Index: geneve-ut-830 Branch count: 6 Document count: 6 -Index: geneve-ut-832 +Index: geneve-ut-0832 ```python file where container.id:"*" and @@ -11950,7 +11950,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-833 +Index: geneve-ut-0833 ```python process where container.id: "*" and event.type == "start" and @@ -11971,7 +11971,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-834 +Index: geneve-ut-0834 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and @@ -11985,7 +11985,7 @@ not file.name : "known_hosts.*" Branch count: 6 Document count: 6 -Index: geneve-ut-835 +Index: geneve-ut-0835 ```python process where container.id: "*" and event.type== "start" and @@ -11999,7 +11999,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 36 Document count: 36 -Index: geneve-ut-838 +Index: geneve-ut-0838 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12017,7 +12017,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-840 +Index: geneve-ut-0840 ```python sequence by host.id with maxspan = 30s @@ -12036,7 +12036,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 4 -Index: geneve-ut-842 +Index: geneve-ut-0842 ```python registry where host.os.type == "windows" and @@ -12052,7 +12052,7 @@ registry where host.os.type == "windows" and Branch count: 9 Document count: 9 -Index: geneve-ut-843 +Index: geneve-ut-0843 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12067,7 +12067,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 27 Document count: 27 -Index: geneve-ut-844 +Index: geneve-ut-0844 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -12108,7 +12108,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-845 +Index: geneve-ut-0845 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -12142,7 +12142,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-846 +Index: geneve-ut-0846 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12156,7 +12156,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-847 +Index: geneve-ut-0847 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12170,7 +12170,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 116 Document count: 116 -Index: geneve-ut-848 +Index: geneve-ut-0848 ```python process where event.type == "start" and @@ -12230,7 +12230,7 @@ process.name : "grep" and user.id != "0" and Branch count: 270 Document count: 270 -Index: geneve-ut-851 +Index: geneve-ut-0851 ```python process where container.id: "*" and event.type== "start" and @@ -12273,7 +12273,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-852 +Index: geneve-ut-0852 ```python process where container.id: "*" and event.type== "start" and @@ -12297,7 +12297,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-853 +Index: geneve-ut-0853 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -12310,7 +12310,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 6 Document count: 6 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python file where host.os.type == "windows" and @@ -12328,7 +12328,7 @@ file where host.os.type == "windows" and Branch count: 16 Document count: 32 -Index: geneve-ut-855 +Index: geneve-ut-0855 ```python sequence by process.entity_id with maxspan = 1m @@ -12345,7 +12345,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-856 +Index: geneve-ut-0856 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -12365,7 +12365,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-857 +Index: geneve-ut-0857 ```python sequence by winlog.computer_name with maxspan=5m @@ -12389,7 +12389,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12410,7 +12410,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-859 +Index: geneve-ut-0859 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12433,7 +12433,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-860 +Index: geneve-ut-0860 ```python process where event.type == "start" and process.name : "sc.exe" and @@ -12446,7 +12446,7 @@ process where event.type == "start" and process.name : "sc.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-861 +Index: geneve-ut-0861 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -12459,7 +12459,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not process.pare Branch count: 1 Document count: 1 -Index: geneve-ut-862 +Index: geneve-ut-0862 ```python file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and @@ -12472,7 +12472,7 @@ file.path == "/etc/shadow" and file.Ext.original.path != null Branch count: 1 Document count: 1 -Index: geneve-ut-863 +Index: geneve-ut-0863 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -12484,7 +12484,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 240 Document count: 240 -Index: geneve-ut-865 +Index: geneve-ut-0865 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( @@ -12526,7 +12526,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an Branch count: 72 Document count: 144 -Index: geneve-ut-866 +Index: geneve-ut-0866 ```python sequence by host.id with maxspan=5s @@ -12540,7 +12540,7 @@ sequence by host.id with maxspan=5s Branch count: 162 Document count: 162 -Index: geneve-ut-867 +Index: geneve-ut-0867 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -12562,7 +12562,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-868 +Index: geneve-ut-0868 ```python process where host.os.type == "windows" and event.type == "start" @@ -12576,7 +12576,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 4 Document count: 4 -Index: geneve-ut-869 +Index: geneve-ut-0869 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12590,7 +12590,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 28 Document count: 28 -Index: geneve-ut-870 +Index: geneve-ut-0870 ```python registry where host.os.type == "windows" and registry.path : ( @@ -12614,7 +12614,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 12 Document count: 24 -Index: geneve-ut-884 +Index: geneve-ut-0884 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -12639,7 +12639,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-885 +Index: geneve-ut-0885 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -12672,7 +12672,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-888 +Index: geneve-ut-0888 ```python beacon_stats.is_beaconing: true and @@ -12690,7 +12690,7 @@ not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or " Branch count: 1 Document count: 1 -Index: geneve-ut-889 +Index: geneve-ut-0889 ```python beacon_stats.beaconing_score: 3 @@ -12702,7 +12702,7 @@ beacon_stats.beaconing_score: 3 Branch count: 2 Document count: 6 -Index: geneve-ut-890 +Index: geneve-ut-0890 ```python sequence by user.name with maxspan=12h @@ -12717,7 +12717,7 @@ sequence by user.name with maxspan=12h Branch count: 4 Document count: 4 -Index: geneve-ut-891 +Index: geneve-ut-0891 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -12742,7 +12742,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-892 +Index: geneve-ut-0892 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12757,7 +12757,7 @@ not group.Ext.real.id : "0" and not user.Ext.real.id : "0" and not process.args Branch count: 16 Document count: 16 -Index: geneve-ut-895 +Index: geneve-ut-0895 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12771,7 +12771,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-896 +Index: geneve-ut-0896 ```python event.category:process and host.os.type:windows and @@ -12797,7 +12797,7 @@ event.category:process and host.os.type:windows and Branch count: 16 Document count: 16 -Index: geneve-ut-897 +Index: geneve-ut-0897 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12812,7 +12812,7 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en Branch count: 152 Document count: 304 -Index: geneve-ut-898 +Index: geneve-ut-0898 ```python sequence by host.id with maxspan=5s @@ -12834,7 +12834,7 @@ sequence by host.id with maxspan=5s Branch count: 8 Document count: 16 -Index: geneve-ut-899 +Index: geneve-ut-0899 ```python sequence by host.id with maxspan=5s @@ -12853,7 +12853,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-901 +Index: geneve-ut-0901 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -12865,7 +12865,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 2 Document count: 2 -Index: geneve-ut-902 +Index: geneve-ut-0902 ```python file where host.os.type == "windows" and event.type != "deletion" and file.path != null and @@ -12878,7 +12878,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path Branch count: 2 Document count: 4 -Index: geneve-ut-903 +Index: geneve-ut-0903 ```python sequence by host.id with maxspan=30s @@ -12892,7 +12892,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-904 +Index: geneve-ut-0904 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -12924,7 +12924,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-905 +Index: geneve-ut-0905 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -12948,7 +12948,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-906 +Index: geneve-ut-0906 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12962,7 +12962,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-907 +Index: geneve-ut-0907 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12985,7 +12985,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-908 +Index: geneve-ut-0908 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12999,7 +12999,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 60 Document count: 60 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13229,7 +13229,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-910 +Index: geneve-ut-0910 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -13245,7 +13245,7 @@ not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*n Branch count: 1 Document count: 1 -Index: geneve-ut-911 +Index: geneve-ut-0911 ```python file where host.os.type == "macos" and event.type != "deletion" and process.name != null and @@ -13258,7 +13258,7 @@ file where host.os.type == "macos" and event.type != "deletion" and process.name Branch count: 189 Document count: 189 -Index: geneve-ut-912 +Index: geneve-ut-0912 ```python any where host.os.type == "windows" and @@ -13291,7 +13291,7 @@ any where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-914 +Index: geneve-ut-0914 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -13307,7 +13307,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 44 Document count: 44 -Index: geneve-ut-915 +Index: geneve-ut-0915 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13343,7 +13343,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-916 +Index: geneve-ut-0916 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13379,7 +13379,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-917 +Index: geneve-ut-0917 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13394,7 +13394,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and @@ -13410,7 +13410,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 14 Document count: 14 -Index: geneve-ut-922 +Index: geneve-ut-0922 ```python process where host.os.type == "windows" and event.type : "start" and @@ -13438,7 +13438,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-923 +Index: geneve-ut-0923 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13462,7 +13462,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-926 +Index: geneve-ut-0926 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and @@ -13478,7 +13478,7 @@ file where host.os.type == "linux" and event.action in ("creation", "file_create Branch count: 2 Document count: 2 -Index: geneve-ut-930 +Index: geneve-ut-0930 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13491,7 +13491,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 30 Document count: 30 -Index: geneve-ut-931 +Index: geneve-ut-0931 ```python any where host.os.type == "windows" and @@ -13506,7 +13506,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-932 +Index: geneve-ut-0932 ```python registry where host.os.type == "windows" and registry.path : ( @@ -13523,7 +13523,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 6 Document count: 6 -Index: geneve-ut-934 +Index: geneve-ut-0934 ```python process where container.id: "*" and @@ -13544,7 +13544,7 @@ process.args: "*/*sh" Branch count: 1 Document count: 1 -Index: geneve-ut-937 +Index: geneve-ut-0937 ```python process where host.os.type == "linux" and event.action == "session_id_change" and process.name : "kworker*" and @@ -13557,7 +13557,7 @@ user.id == "0" Branch count: 1 Document count: 1 -Index: geneve-ut-938 +Index: geneve-ut-0938 ```python process where host.os.type == "windows" and event.code == "10" and @@ -13576,7 +13576,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 1 Document count: 1 -Index: geneve-ut-939 +Index: geneve-ut-0939 ```python process where host.os.type == "windows" and event.code == "10" and @@ -13611,7 +13611,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 52 Document count: 52 -Index: geneve-ut-941 +Index: geneve-ut-0941 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13632,7 +13632,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-942 +Index: geneve-ut-0942 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13652,7 +13652,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 24 Document count: 24 -Index: geneve-ut-943 +Index: geneve-ut-0943 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -13665,7 +13665,7 @@ process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack Branch count: 14 Document count: 14 -Index: geneve-ut-946 +Index: geneve-ut-0946 ```python file where host.os.type == "linux" and event.type == "creation" and event.action : ("creation", "file_create_event") and @@ -13678,7 +13678,7 @@ file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.servic Branch count: 2 Document count: 2 -Index: geneve-ut-948 +Index: geneve-ut-0948 ```python library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and @@ -13757,7 +13757,7 @@ library where host.os.type == "windows" and process.executable : "?:\\Windows\\S Branch count: 2 Document count: 2 -Index: geneve-ut-950 +Index: geneve-ut-0950 ```python network where host.os.type == "linux" and event.type == "start" and @@ -13770,7 +13770,7 @@ event.action in ("connection_attempted", "ipv4_connection_attempt_event") and pr Branch count: 28 Document count: 28 -Index: geneve-ut-952 +Index: geneve-ut-0952 ```python process where container.id: "*" and event.type== "start" and @@ -13787,7 +13787,7 @@ process where container.id: "*" and event.type== "start" and Branch count: 212 Document count: 212 -Index: geneve-ut-953 +Index: geneve-ut-0953 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13811,7 +13811,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-954 +Index: geneve-ut-0954 ```python sequence by host.id, process.parent.pid with maxspan=1m @@ -13827,7 +13827,7 @@ sequence by host.id, process.parent.pid with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-955 +Index: geneve-ut-0955 ```python event.category:process and host.os.type:windows and @@ -13842,7 +13842,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-958 +Index: geneve-ut-0958 ```python file where host.os.type == "windows" and event.type : "deletion" and @@ -13856,7 +13856,7 @@ file where host.os.type == "windows" and event.type : "deletion" and Branch count: 4 Document count: 8 -Index: geneve-ut-959 +Index: geneve-ut-0959 ```python sequence by host.id with maxspan=30s @@ -13880,7 +13880,7 @@ sequence by host.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-960 +Index: geneve-ut-0960 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13915,7 +13915,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-961 +Index: geneve-ut-0961 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -13939,7 +13939,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-965 +Index: geneve-ut-0965 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13952,7 +13952,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-966 +Index: geneve-ut-0966 ```python any where host.os.type == "windows" and @@ -13985,7 +13985,7 @@ any where host.os.type == "windows" and Branch count: 1 Document count: 2 -Index: geneve-ut-967 +Index: geneve-ut-0967 ```python sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m @@ -14003,7 +14003,7 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= Branch count: 9 Document count: 9 -Index: geneve-ut-968 +Index: geneve-ut-0968 ```python file where host.os.type == "linux" and event.action == "rename" and @@ -14017,7 +14017,7 @@ and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", Branch count: 1 Document count: 1 -Index: geneve-ut-969 +Index: geneve-ut-0969 ```python file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and @@ -14030,7 +14030,7 @@ file.Ext.original.path : "/usr/lib/vmware/*" Branch count: 152 Document count: 152 -Index: geneve-ut-970 +Index: geneve-ut-0970 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14060,7 +14060,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-971 +Index: geneve-ut-0971 ```python any where host.os.type == "windows" and @@ -14094,7 +14094,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-973 +Index: geneve-ut-0973 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14125,7 +14125,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 10 Document count: 10 -Index: geneve-ut-974 +Index: geneve-ut-0974 ```python registry where host.os.type == "windows" and @@ -14157,7 +14157,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-978 +Index: geneve-ut-0978 ```python process where host.os.type == "linux" and event.type == "end" and process.name in ("vmware-vmx", "vmx") @@ -14170,7 +14170,7 @@ and process.parent.name == "kill" Branch count: 160 Document count: 160 -Index: geneve-ut-979 +Index: geneve-ut-0979 ```python process where host.os.type == "windows" and event.action == "start" and @@ -14194,7 +14194,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 136 Document count: 136 -Index: geneve-ut-980 +Index: geneve-ut-0980 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -14211,7 +14211,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-981 +Index: geneve-ut-0981 ```python any where event.dataset == "windows.sysmon_operational" and event.code == "21" and @@ -14224,7 +14224,7 @@ any where event.dataset == "windows.sysmon_operational" and event.code == "21" a Branch count: 30 Document count: 30 -Index: geneve-ut-982 +Index: geneve-ut-0982 ```python any where host.os.type == "windows" and @@ -14239,7 +14239,7 @@ any where host.os.type == "windows" and Branch count: 48 Document count: 96 -Index: geneve-ut-983 +Index: geneve-ut-0983 ```python sequence by process.entity_id with maxspan = 2m @@ -14257,7 +14257,7 @@ sequence by process.entity_id with maxspan = 2m Branch count: 18 Document count: 18 -Index: geneve-ut-984 +Index: geneve-ut-0984 ```python file where event.action == "open" and host.os.type == "macos" and process.executable != null and @@ -14278,7 +14278,7 @@ file where event.action == "open" and host.os.type == "macos" and process.execut Branch count: 1 Document count: 1 -Index: geneve-ut-985 +Index: geneve-ut-0985 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14297,7 +14297,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-989 +Index: geneve-ut-0989 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14310,7 +14310,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-992 +Index: geneve-ut-0992 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -14329,7 +14329,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 8 Document count: 8 -Index: geneve-ut-994 +Index: geneve-ut-0994 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14348,7 +14348,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-995 +Index: geneve-ut-0995 ```python file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and @@ -14387,7 +14387,7 @@ file.Ext.original.path : ( Branch count: 20 Document count: 20 -Index: geneve-ut-996 +Index: geneve-ut-0996 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -14400,7 +14400,7 @@ process.name in ("vi", "nano", "cat", "more", "less") and process.args == "/etc/ Branch count: 2 Document count: 2 -Index: geneve-ut-997 +Index: geneve-ut-0997 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14414,7 +14414,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-998 +Index: geneve-ut-0998 ```python file where host.os.type == "linux" and event.type == "deletion" and @@ -14441,7 +14441,7 @@ file where host.os.type == "linux" and event.type == "deletion" and Branch count: 16 Document count: 16 -Index: geneve-ut-999 +Index: geneve-ut-0999 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and diff --git a/tests/reports/alerts_from_rules-8.12.md b/tests/reports/alerts_from_rules-8.12.md index 5bc61fe9..91815328 100644 --- a/tests/reports/alerts_from_rules-8.12.md +++ b/tests/reports/alerts_from_rules-8.12.md @@ -19,7 +19,7 @@ Rules version: 8.12.26 Branch count: 4608 Document count: 13824 -Index: geneve-ut-311 +Index: geneve-ut-0311 ```python sequence by host.id, user.id with maxspan=1m @@ -44,7 +44,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -63,7 +63,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -82,7 +82,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1794 Document count: 1794 -Index: geneve-ut-723 +Index: geneve-ut-0723 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -142,7 +142,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -159,7 +159,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 8748 Document count: 17496 -Index: geneve-ut-851 +Index: geneve-ut-0851 ```python sequence with maxspan=1m @@ -213,7 +213,7 @@ sequence with maxspan=1m Branch count: 4608 Document count: 4608 -Index: geneve-ut-971 +Index: geneve-ut-0971 ```python process where host.os.type == "windows" and event.type == "start" and @@ -264,7 +264,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -277,7 +277,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -290,7 +290,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4 Document count: 8 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -310,7 +310,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4608 Document count: 13824 -Index: geneve-ut-311 +Index: geneve-ut-0311 Failure message(s): got 1000 signals, expected 4608 @@ -337,7 +337,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-659 +Index: geneve-ut-0659 Failure message(s): got 1000 signals, expected 1024 @@ -358,7 +358,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-665 +Index: geneve-ut-0665 Failure message(s): got 1000 signals, expected 1024 @@ -379,7 +379,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 6 Document count: 12 -Index: geneve-ut-716 +Index: geneve-ut-0716 Failure message(s): got 5 signals, expected 6 @@ -396,7 +396,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5s Branch count: 1794 Document count: 1794 -Index: geneve-ut-723 +Index: geneve-ut-0723 Failure message(s): got 1000 signals, expected 1794 @@ -458,7 +458,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-758 +Index: geneve-ut-0758 Failure message(s): got 1000 signals, expected 2048 @@ -477,7 +477,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 32 Document count: 64 -Index: geneve-ut-801 +Index: geneve-ut-0801 Failure message(s): got 24 signals, expected 32 @@ -502,7 +502,7 @@ sequence by host.id, process.pid with maxspan=1s Branch count: 8748 Document count: 17496 -Index: geneve-ut-851 +Index: geneve-ut-0851 Failure message(s): got 1000 signals, expected 8748 @@ -558,7 +558,7 @@ sequence with maxspan=1m Branch count: 4608 Document count: 4608 -Index: geneve-ut-971 +Index: geneve-ut-0971 Failure message(s): got 1000 signals, expected 4608 @@ -609,7 +609,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 22 -Index: geneve-ut-998 +Index: geneve-ut-0998 Failure message(s): got 8 signals, expected 11 @@ -632,7 +632,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -659,7 +659,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -689,7 +689,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 8 Document count: 8 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -725,7 +725,7 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-0004 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -737,7 +737,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-0005 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success @@ -749,7 +749,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-0006 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -761,7 +761,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-0007 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -773,7 +773,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -785,7 +785,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -797,7 +797,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -809,7 +809,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -824,7 +824,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -836,7 +836,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python process where event.module == "cloud_defend" and @@ -853,7 +853,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -866,7 +866,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -878,7 +878,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -892,7 +892,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset: aws.cloudtrail @@ -907,7 +907,7 @@ event.dataset: aws.cloudtrail Branch count: 2 Document count: 2 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -919,7 +919,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -931,7 +931,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -943,7 +943,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-025 +Index: geneve-ut-0025 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -955,7 +955,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-026 +Index: geneve-ut-0026 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -968,7 +968,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-027 +Index: geneve-ut-0027 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -981,7 +981,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -995,7 +995,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -1008,7 +1008,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success @@ -1020,7 +1020,7 @@ event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -1032,7 +1032,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -1044,7 +1044,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -1056,7 +1056,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -1068,7 +1068,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -1080,7 +1080,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-038 +Index: geneve-ut-0038 ```python event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" @@ -1093,7 +1093,7 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-039 +Index: geneve-ut-0039 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -1105,7 +1105,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-040 +Index: geneve-ut-0040 ```python event.dataset:aws.cloudtrail @@ -1120,7 +1120,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset: aws.cloudtrail @@ -1136,7 +1136,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-042 +Index: geneve-ut-0042 ```python event.dataset:aws.cloudtrail @@ -1151,7 +1151,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-043 +Index: geneve-ut-0043 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -1163,7 +1163,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-044 +Index: geneve-ut-0044 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -1175,7 +1175,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-045 +Index: geneve-ut-0045 ```python event.dataset: "aws.cloudtrail" @@ -1190,7 +1190,7 @@ event.dataset: "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset: aws.cloudtrail @@ -1205,7 +1205,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -1217,7 +1217,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -1229,7 +1229,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python any where event.dataset == "aws.cloudtrail" @@ -1244,7 +1244,7 @@ any where event.dataset == "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-055 +Index: geneve-ut-0055 ```python event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" @@ -1257,7 +1257,7 @@ event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-057 +Index: geneve-ut-0057 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -1269,7 +1269,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-058 +Index: geneve-ut-0058 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -1281,7 +1281,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -1293,7 +1293,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-060 +Index: geneve-ut-0060 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -1305,7 +1305,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -1317,7 +1317,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-063 +Index: geneve-ut-0063 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -1329,7 +1329,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -1344,7 +1344,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-065 +Index: geneve-ut-0065 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -1356,7 +1356,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-066 +Index: geneve-ut-0066 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -1368,7 +1368,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1381,7 +1381,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-068 +Index: geneve-ut-0068 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1394,7 +1394,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1407,7 +1407,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1422,7 +1422,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-078 +Index: geneve-ut-0078 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1435,7 +1435,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 6 Document count: 6 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or @@ -1449,7 +1449,7 @@ RevokeSecurityGroupIngress) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-083 +Index: geneve-ut-0083 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1461,7 +1461,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-084 +Index: geneve-ut-0084 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1473,7 +1473,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-085 +Index: geneve-ut-0085 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1485,7 +1485,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-088 +Index: geneve-ut-0088 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1501,7 +1501,7 @@ Index: geneve-ut-088 Branch count: 4 Document count: 4 -Index: geneve-ut-089 +Index: geneve-ut-0089 ```python process where host.os.type == "linux" and event.type == "start" and @@ -1518,7 +1518,7 @@ process.name == "setfacl" and not ( Branch count: 12 Document count: 12 -Index: geneve-ut-090 +Index: geneve-ut-0090 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1563,7 +1563,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 8 Document count: 8 -Index: geneve-ut-091 +Index: geneve-ut-0091 ```python any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and @@ -1598,7 +1598,7 @@ any where event.action in ("Directory Service Access", "object-operation-perform Branch count: 4 Document count: 4 -Index: geneve-ut-092 +Index: geneve-ut-0092 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1615,7 +1615,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-094 +Index: geneve-ut-0094 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1635,7 +1635,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-095 +Index: geneve-ut-0095 ```python sequence by winlog.computer_name with maxspan=1m @@ -1663,7 +1663,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 48 Document count: 48 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -1681,7 +1681,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 1 Document count: 1 -Index: geneve-ut-098 +Index: geneve-ut-0098 ```python iam where winlog.api == "wineventlog" and event.code == "4728" and @@ -1697,7 +1697,7 @@ not group.id : "S-1-5-21-*-513" Branch count: 36 Document count: 36 -Index: geneve-ut-099 +Index: geneve-ut-0099 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1717,7 +1717,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-100 +Index: geneve-ut-0100 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1731,7 +1731,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-101 +Index: geneve-ut-0101 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and @@ -1744,7 +1744,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 1 Document count: 1 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1756,7 +1756,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1768,7 +1768,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1783,7 +1783,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-106 +Index: geneve-ut-0106 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1795,7 +1795,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 2 Document count: 2 -Index: geneve-ut-107 +Index: geneve-ut-0107 ```python event.agent_id_status:(agent_id_mismatch or mismatch) @@ -1807,7 +1807,7 @@ event.agent_id_status:(agent_id_mismatch or mismatch) Branch count: 1 Document count: 2 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1826,7 +1826,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1842,7 +1842,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1854,7 +1854,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-117 +Index: geneve-ut-0117 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1869,7 +1869,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 8 Document count: 8 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python file where host.os.type == "linux" and @@ -1899,7 +1899,7 @@ event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/* Branch count: 1 Document count: 1 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1911,7 +1911,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 4 Document count: 4 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -1924,7 +1924,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-122 +Index: geneve-ut-0122 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1936,7 +1936,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1948,7 +1948,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1960,7 +1960,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1972,7 +1972,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1984,7 +1984,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1996,7 +1996,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-128 +Index: geneve-ut-0128 ```python event.dataset:okta.system and event.action:zone.delete @@ -2008,7 +2008,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-129 +Index: geneve-ut-0129 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -2020,7 +2020,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-130 +Index: geneve-ut-0130 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -2032,7 +2032,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 20 Document count: 20 -Index: geneve-ut-131 +Index: geneve-ut-0131 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -2049,7 +2049,7 @@ process.args in ("auditd", "auditd.service") Branch count: 2 Document count: 2 -Index: geneve-ut-132 +Index: geneve-ut-0132 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2062,7 +2062,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 74 Document count: 74 -Index: geneve-ut-133 +Index: geneve-ut-0133 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2090,7 +2090,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2106,7 +2106,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2119,7 +2119,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2138,7 +2138,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2153,7 +2153,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-138 +Index: geneve-ut-0138 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -2165,7 +2165,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -2177,7 +2177,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -2189,7 +2189,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -2201,7 +2201,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -2220,7 +2220,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -2232,7 +2232,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -2244,7 +2244,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2257,7 +2257,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -2269,7 +2269,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 3 Document count: 3 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2299,7 +2299,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -2314,7 +2314,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2328,7 +2328,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python event.dataset:azure.signinlogs and @@ -2342,7 +2342,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python event.dataset:azure.signinlogs and @@ -2355,7 +2355,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python event.dataset:azure.signinlogs and @@ -2369,7 +2369,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -2382,7 +2382,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -2394,7 +2394,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -2406,7 +2406,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python event.dataset:azure.activitylogs and @@ -2425,7 +2425,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python event.dataset:azure.activitylogs and @@ -2439,7 +2439,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python event.dataset:azure.activitylogs and @@ -2457,7 +2457,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2469,7 +2469,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2484,7 +2484,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-165 +Index: geneve-ut-0165 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2496,7 +2496,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2509,7 +2509,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2521,7 +2521,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2533,7 +2533,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2545,7 +2545,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-170 +Index: geneve-ut-0170 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -2557,7 +2557,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 2 Document count: 2 -Index: geneve-ut-171 +Index: geneve-ut-0171 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2569,7 +2569,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-172 +Index: geneve-ut-0172 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2581,7 +2581,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2599,7 +2599,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2615,7 +2615,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2627,7 +2627,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2640,7 +2640,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2653,7 +2653,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2668,7 +2668,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2680,7 +2680,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2692,7 +2692,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2704,7 +2704,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2716,7 +2716,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2728,7 +2728,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2740,7 +2740,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2758,7 +2758,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and @@ -2772,7 +2772,7 @@ not process.parent.executable == "/usr/sbin/libvirtd" Branch count: 16 Document count: 16 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -2786,7 +2786,7 @@ not process.args in ("--help", "--version") Branch count: 9 Document count: 9 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python event.category:file and event.type:change and @@ -2811,7 +2811,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-189 +Index: geneve-ut-0189 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2826,7 +2826,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-190 +Index: geneve-ut-0190 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2841,7 +2841,7 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ Branch count: 13 Document count: 13 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2863,7 +2863,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python file where host.os.type == "windows" and event.action : "creation" and @@ -2892,7 +2892,7 @@ file where host.os.type == "windows" and event.action : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2910,7 +2910,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2930,7 +2930,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 24 Document count: 24 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2946,7 +2946,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2968,7 +2968,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2982,7 +2982,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3000,7 +3000,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -3020,7 +3020,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python sequence by process.entity_id @@ -3043,7 +3043,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3060,7 +3060,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3122,7 +3122,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python library where host.os.type == "windows" and event.action == "load" and @@ -3152,7 +3152,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 24 Document count: 24 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3177,7 +3177,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python sequence by process.entity_id @@ -3198,7 +3198,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python sequence by process.entity_id @@ -3219,7 +3219,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python process where container.id: "*" and event.type== "start" @@ -3232,7 +3232,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python event.kind:alert and event.module:cloud_defend @@ -3244,7 +3244,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 24 Document count: 24 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3270,7 +3270,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3290,7 +3290,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -3303,7 +3303,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-217 +Index: geneve-ut-0217 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and @@ -3316,7 +3316,7 @@ not process.name == "dockerd" Branch count: 2 Document count: 2 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and @@ -3331,7 +3331,7 @@ file.extension == "ko" and not process.name : ( Branch count: 1 Document count: 1 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -3348,7 +3348,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -3362,7 +3362,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 2 Document count: 2 -Index: geneve-ut-221 +Index: geneve-ut-0221 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3378,7 +3378,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -3390,7 +3390,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 8 Document count: 8 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Blob" and @@ -3435,7 +3435,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 2 Document count: 2 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -3450,7 +3450,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 8 Document count: 8 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3465,7 +3465,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3477,7 +3477,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3489,7 +3489,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-229 +Index: geneve-ut-0229 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3501,7 +3501,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3513,7 +3513,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 80 Document count: 80 -Index: geneve-ut-231 +Index: geneve-ut-0231 ```python file where host.os.type == "linux" and @@ -3555,7 +3555,7 @@ event.action in ("rename", "creation") and file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3575,7 +3575,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 1 Document count: 1 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -3587,7 +3587,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python event.dataset:cyberarkpas.audit and @@ -3602,7 +3602,7 @@ event.dataset:cyberarkpas.audit and Branch count: 16 Document count: 16 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -3633,7 +3633,7 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* Branch count: 3 Document count: 3 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3649,7 +3649,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 3 Document count: 3 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3667,7 +3667,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -3682,7 +3682,7 @@ Index: geneve-ut-240 Branch count: 2 Document count: 2 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3696,7 +3696,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3710,7 +3710,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-246 +Index: geneve-ut-0246 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3732,7 +3732,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3749,7 +3749,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3771,7 +3771,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3788,7 +3788,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3803,7 +3803,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3815,7 +3815,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3828,7 +3828,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3840,7 +3840,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 10 Document count: 20 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python sequence by process.entity_id with maxspan=1m @@ -3858,7 +3858,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 24 Document count: 24 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -3893,7 +3893,7 @@ not ( Branch count: 12 Document count: 12 -Index: geneve-ut-261 +Index: geneve-ut-0261 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3908,7 +3908,7 @@ not process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewag Branch count: 108 Document count: 108 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3924,7 +3924,7 @@ not process.parent.executable == "/usr/share/qemu/init/qemu-kvm-init" Branch count: 12 Document count: 12 -Index: geneve-ut-263 +Index: geneve-ut-0263 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3938,7 +3938,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 2 Document count: 2 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -3950,7 +3950,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 1 Document count: 2 -Index: geneve-ut-265 +Index: geneve-ut-0265 ```python sequence by host.id with maxspan=3s @@ -3973,7 +3973,7 @@ sequence by host.id with maxspan=3s Branch count: 203 Document count: 203 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python process where @@ -4004,7 +4004,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -4017,7 +4017,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-268 +Index: geneve-ut-0268 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4031,7 +4031,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-269 +Index: geneve-ut-0269 ```python registry where host.os.type == "windows" and @@ -4045,7 +4045,7 @@ registry where host.os.type == "windows" and Branch count: 14 Document count: 14 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4076,7 +4076,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -4088,7 +4088,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 3 Document count: 3 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python event.dataset:(azure.activitylogs or azure.signinlogs) @@ -4105,7 +4105,7 @@ event.dataset:(azure.activitylogs or azure.signinlogs) Branch count: 2 Document count: 2 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4119,7 +4119,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4138,7 +4138,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-276 +Index: geneve-ut-0276 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4165,7 +4165,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 276 Document count: 276 -Index: geneve-ut-280 +Index: geneve-ut-0280 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -4196,7 +4196,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python event.category:process and host.os.type:windows and @@ -4209,7 +4209,7 @@ event.category:process and host.os.type:windows and Branch count: 378 Document count: 378 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4238,7 +4238,7 @@ process.args : ( Branch count: 64 Document count: 64 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -4266,7 +4266,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-285 +Index: geneve-ut-0285 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4279,7 +4279,7 @@ process.name : ("kworker*", "kthread*") and process.executable != null Branch count: 4 Document count: 8 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python sequence by process.entity_id with maxspan=5m @@ -4299,7 +4299,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 4 Document count: 4 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4318,7 +4318,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 72 Document count: 144 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python sequence with maxspan=2h @@ -4344,7 +4344,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python sequence with maxspan=2h @@ -4369,7 +4369,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -4398,7 +4398,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -4410,7 +4410,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -4433,7 +4433,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python sequence by user.id with maxspan=5s @@ -4448,7 +4448,7 @@ sequence by user.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -4460,7 +4460,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 2 Document count: 2 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python process where host.os.type == "windows" and event.type : "start" and @@ -4482,7 +4482,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -4494,7 +4494,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-300 +Index: geneve-ut-0300 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4508,7 +4508,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -4521,7 +4521,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-302 +Index: geneve-ut-0302 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4533,7 +4533,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-303 +Index: geneve-ut-0303 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4545,7 +4545,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-304 +Index: geneve-ut-0304 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4559,7 +4559,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -4571,7 +4571,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 1 Document count: 1 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python file where host.os.type == "windows" and event.code : "2" and @@ -4603,7 +4603,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 16 Document count: 32 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python sequence by host.id with maxspan=10s @@ -4620,7 +4620,7 @@ sequence by host.id with maxspan=10s Branch count: 4 Document count: 4 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( @@ -4634,7 +4634,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 20 Document count: 20 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -4650,7 +4650,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -4665,7 +4665,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python process where event.module == "cloud_defend" and @@ -4680,7 +4680,7 @@ process where event.module == "cloud_defend" and Branch count: 375 Document count: 750 -Index: geneve-ut-317 +Index: geneve-ut-0317 ```python sequence by process.entity_id @@ -4707,7 +4707,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4728,7 +4728,7 @@ not ( Branch count: 2 Document count: 2 -Index: geneve-ut-319 +Index: geneve-ut-0319 ```python process where host.os.type == "linux" and event.type == "start" and process.parent.executable != null and @@ -4747,7 +4747,7 @@ process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and n Branch count: 11 Document count: 11 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4773,7 +4773,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4803,7 +4803,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python event.dataset: google_workspace.alert @@ -4815,7 +4815,7 @@ event.dataset: google_workspace.alert Branch count: 8 Document count: 8 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python registry where host.os.type == "windows" and @@ -4833,7 +4833,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4845,7 +4845,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4857,7 +4857,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4869,7 +4869,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-347 +Index: geneve-ut-0347 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4881,7 +4881,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -4893,7 +4893,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-349 +Index: geneve-ut-0349 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -4905,7 +4905,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-350 +Index: geneve-ut-0350 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -4917,7 +4917,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-351 +Index: geneve-ut-0351 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -4929,7 +4929,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-352 +Index: geneve-ut-0352 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -4941,7 +4941,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-353 +Index: geneve-ut-0353 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -4953,7 +4953,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-354 +Index: geneve-ut-0354 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -4965,7 +4965,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-355 +Index: geneve-ut-0355 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -4977,7 +4977,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-356 +Index: geneve-ut-0356 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -4989,7 +4989,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-357 +Index: geneve-ut-0357 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -5001,7 +5001,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-358 +Index: geneve-ut-0358 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -5013,7 +5013,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-359 +Index: geneve-ut-0359 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -5025,7 +5025,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-360 +Index: geneve-ut-0360 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -5037,7 +5037,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-361 +Index: geneve-ut-0361 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -5049,7 +5049,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-362 +Index: geneve-ut-0362 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -5061,7 +5061,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-363 +Index: geneve-ut-0363 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -5073,7 +5073,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-364 +Index: geneve-ut-0364 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -5085,7 +5085,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-365 +Index: geneve-ut-0365 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -5097,7 +5097,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-366 +Index: geneve-ut-0366 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -5109,7 +5109,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 575 Document count: 575 -Index: geneve-ut-367 +Index: geneve-ut-0367 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ( @@ -5133,7 +5133,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 64 Document count: 128 -Index: geneve-ut-368 +Index: geneve-ut-0368 ```python sequence by host.id with maxspan=3s @@ -5151,7 +5151,7 @@ sequence by host.id with maxspan=3s Branch count: 4 Document count: 4 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and @@ -5179,7 +5179,7 @@ file.extension == null and process.executable != null and not ( Branch count: 8 Document count: 16 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python sequence by host.id with maxspan=3s @@ -5204,7 +5204,7 @@ sequence by host.id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" @@ -5216,7 +5216,7 @@ configuration where event.dataset == "github.audit" and github.category == "inte Branch count: 1 Document count: 1 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -5228,7 +5228,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" @@ -5240,7 +5240,7 @@ configuration where event.dataset == "github.audit" and event.action == "persona Branch count: 1 Document count: 1 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python configuration where event.dataset == "github.audit" @@ -5253,7 +5253,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python configuration where event.dataset == "github.audit" and event.action == "repo.create" @@ -5265,7 +5265,7 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr Branch count: 1 Document count: 1 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -5277,7 +5277,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python configuration where event.dataset == "github.audit" and event.action == "org.block_user" @@ -5289,7 +5289,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.blo Branch count: 1 Document count: 1 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -5302,7 +5302,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -5314,7 +5314,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python event.dataset:google_workspace.admin @@ -5330,7 +5330,7 @@ event.dataset:google_workspace.admin Branch count: 1 Document count: 1 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -5343,7 +5343,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -5355,7 +5355,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5368,7 +5368,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -5380,7 +5380,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -5393,7 +5393,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -5410,7 +5410,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -5424,7 +5424,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python sequence by source.user.email with maxspan=3m @@ -5448,7 +5448,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -5469,7 +5469,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5483,7 +5483,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -5495,7 +5495,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -5507,7 +5507,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -5520,7 +5520,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5533,7 +5533,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags" @@ -5545,7 +5545,7 @@ file where host.os.type == "linux" and event.type == "creation" and process.name Branch count: 1 Document count: 2 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python sequence by process.entity_id with maxspan=5m @@ -5562,7 +5562,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python any where @@ -5591,7 +5591,7 @@ any where Branch count: 12 Document count: 12 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5604,7 +5604,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5619,7 +5619,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -5631,7 +5631,7 @@ Index: geneve-ut-410 Branch count: 8 Document count: 8 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5648,7 +5648,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python sequence with maxspan=1m @@ -5667,7 +5667,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python sequence by host.id with maxspan=1m @@ -5685,7 +5685,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python sequence by host.id with maxspan=5s @@ -5704,7 +5704,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python sequence by host.id with maxspan = 30s @@ -5720,7 +5720,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python sequence by host.id with maxspan=30s @@ -5736,7 +5736,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5749,7 +5749,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-422 +Index: geneve-ut-0422 ```python event.dataset: "aws.cloudtrail" @@ -5767,7 +5767,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5780,7 +5780,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-424 +Index: geneve-ut-0424 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -5796,7 +5796,7 @@ sequence by process.entity_id Branch count: 1 Document count: 1 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5815,7 +5815,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5834,7 +5834,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-427 +Index: geneve-ut-0427 ```python process where container.id : "*" and event.type== "start" and @@ -5855,7 +5855,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-429 +Index: geneve-ut-0429 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -5868,7 +5868,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-430 +Index: geneve-ut-0430 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -5886,7 +5886,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-431 +Index: geneve-ut-0431 ```python iam where event.action == "modified-user-account" and event.code == "4738" and @@ -5899,7 +5899,7 @@ iam where event.action == "modified-user-account" and event.code == "4738" and Branch count: 2 Document count: 2 -Index: geneve-ut-432 +Index: geneve-ut-0432 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -5913,7 +5913,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-434 +Index: geneve-ut-0434 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -5972,7 +5972,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -5985,7 +5985,7 @@ auditd.data.syscall in ("init_module", "finit_module") Branch count: 2 Document count: 2 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -5998,7 +5998,7 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" Branch count: 24 Document count: 24 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6012,7 +6012,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" and @@ -6028,7 +6028,7 @@ not process.parent.executable like ( Branch count: 60 Document count: 60 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -6043,7 +6043,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 28 Document count: 28 -Index: geneve-ut-440 +Index: geneve-ut-0440 ```python process where host.os.type == "macos" and event.action == "exec" and @@ -6059,7 +6059,7 @@ process where host.os.type == "macos" and event.action == "exec" and Branch count: 1 Document count: 1 -Index: geneve-ut-441 +Index: geneve-ut-0441 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -6071,7 +6071,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-442 +Index: geneve-ut-0442 ```python event.dataset:kubernetes.audit_logs @@ -6086,7 +6086,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-444 +Index: geneve-ut-0444 ```python event.dataset: "kubernetes.audit_logs" @@ -6100,7 +6100,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python event.dataset : "kubernetes.audit_logs" @@ -6116,7 +6116,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python event.dataset : "kubernetes.audit_logs" @@ -6133,7 +6133,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python event.dataset : "kubernetes.audit_logs" @@ -6150,7 +6150,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python event.dataset : "kubernetes.audit_logs" @@ -6167,7 +6167,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python event.dataset : "kubernetes.audit_logs" @@ -6200,7 +6200,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python event.dataset : "kubernetes.audit_logs" @@ -6217,7 +6217,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-451 +Index: geneve-ut-0451 ```python event.dataset : "kubernetes.audit_logs" @@ -6234,7 +6234,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python event.dataset : "kubernetes.audit_logs" @@ -6251,7 +6251,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python event.dataset : "kubernetes.audit_logs" @@ -6267,7 +6267,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -6305,7 +6305,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python any where event.action == "File System" and event.code == "4656" and @@ -6340,7 +6340,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python api where host.os.type == "windows" and @@ -6413,7 +6413,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6431,7 +6431,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-458 +Index: geneve-ut-0458 ```python sequence by host.id with maxspan=1m @@ -6447,7 +6447,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python sequence by host.id with maxspan=1m @@ -6461,7 +6461,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6476,7 +6476,7 @@ process.args != "1" Branch count: 609 Document count: 609 -Index: geneve-ut-463 +Index: geneve-ut-0463 ```python process where host.os.type == "linux" and event.type == "start" and @@ -6538,7 +6538,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 72 Document count: 72 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6552,7 +6552,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 64 Document count: 64 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -6568,7 +6568,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 240 Document count: 240 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6587,7 +6587,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python registry where host.os.type == "windows" and registry.path : ( @@ -6603,7 +6603,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 600 Document count: 1200 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python sequence with maxspan=1m @@ -6628,7 +6628,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -6640,7 +6640,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 32 Document count: 32 -Index: geneve-ut-473 +Index: geneve-ut-0473 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("AccessVBOM", "VbaWarnings") and @@ -6663,7 +6663,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 84 Document count: 168 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python sequence by host.id with maxspan=15s @@ -6677,7 +6677,7 @@ sequence by host.id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com @@ -6689,7 +6689,7 @@ ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.c Branch count: 1 Document count: 1 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com @@ -6701,7 +6701,7 @@ ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmclo Branch count: 2 Document count: 2 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6713,7 +6713,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6725,7 +6725,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python configuration where event.dataset == "github.audit" and event.action == "org.remove_member" @@ -6737,7 +6737,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.rem Branch count: 8 Document count: 8 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -6769,7 +6769,7 @@ file.path : "/etc/update-motd.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -6781,7 +6781,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -6793,7 +6793,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -6805,7 +6805,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -6817,7 +6817,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-490 +Index: geneve-ut-0490 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -6829,7 +6829,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -6841,7 +6841,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -6853,7 +6853,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -6865,7 +6865,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -6877,7 +6877,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -6889,7 +6889,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -6901,7 +6901,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -6914,7 +6914,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-498 +Index: geneve-ut-0498 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -6933,7 +6933,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-501 +Index: geneve-ut-0501 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -6945,7 +6945,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -6960,7 +6960,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -6974,7 +6974,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -6988,7 +6988,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -7000,7 +7000,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -7012,7 +7012,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-509 +Index: geneve-ut-0509 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7026,7 +7026,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7047,7 +7047,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7061,7 +7061,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-512 +Index: geneve-ut-0512 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7084,7 +7084,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -7109,7 +7109,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-514 +Index: geneve-ut-0514 ```python event.category: "process" and host.os.type:windows and @@ -7133,7 +7133,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-515 +Index: geneve-ut-0515 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7148,7 +7148,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7162,7 +7162,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7176,7 +7176,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7190,7 +7190,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 28 Document count: 28 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -7232,7 +7232,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 1 Document count: 1 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -7244,7 +7244,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 6 Document count: 6 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "AmsiEnable" and @@ -7262,7 +7262,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7279,7 +7279,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -7291,7 +7291,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 2 Document count: 2 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7317,7 +7317,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python event.category:file and host.os.type:linux and event.type:change and @@ -7339,7 +7339,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7361,7 +7361,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 8 Document count: 8 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python registry where host.os.type == "windows" and event.type == "creation" and @@ -7378,7 +7378,7 @@ registry where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-530 +Index: geneve-ut-0530 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -7392,7 +7392,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 2 Document count: 2 -Index: geneve-ut-531 +Index: geneve-ut-0531 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -7404,7 +7404,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 2 Document count: 2 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7427,7 +7427,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python process where event.module == "cloud_defend" and event.type== "start" and @@ -7440,7 +7440,7 @@ process where event.module == "cloud_defend" and event.type== "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7459,7 +7459,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python sequence by process.entity_id with maxspan=30s @@ -7496,7 +7496,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 1 Document count: 2 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python sequence by process.entity_id with maxspan=10m @@ -7514,7 +7514,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-538 +Index: geneve-ut-0538 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -7526,7 +7526,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -7552,7 +7552,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -7578,7 +7578,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -7602,7 +7602,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 2 Document count: 2 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7616,7 +7616,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 210 Document count: 210 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7635,7 +7635,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -7650,7 +7650,7 @@ not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox- Branch count: 560 Document count: 560 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python process where container.id: "*" and event.type== "start" @@ -7673,7 +7673,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 10 Document count: 10 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7687,7 +7687,7 @@ process.args : "*l*" and process.args_count >= 4 Branch count: 2 Document count: 2 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7703,7 +7703,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-554 +Index: geneve-ut-0554 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -7726,7 +7726,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 2 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python sequence by host.id with maxspan=1s @@ -7753,7 +7753,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 16 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python sequence by host.id with maxspan=10s @@ -7770,7 +7770,7 @@ sequence by host.id with maxspan=10s Branch count: 1 Document count: 1 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -7789,7 +7789,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-559 +Index: geneve-ut-0559 ```python sequence by process.entity_id @@ -7809,7 +7809,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python sequence by process.entity_id @@ -7828,7 +7828,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python sequence by host.id with maxspan=1m @@ -7848,7 +7848,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python sequence by process.entity_id @@ -7873,7 +7873,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python sequence by process.entity_id @@ -7895,7 +7895,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python network where host.os.type == "linux" and event.type == "start" and @@ -7916,7 +7916,7 @@ event.action in ("connection_attempted", "ipv4_connection_attempt_event") and pr Branch count: 2 Document count: 4 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -7947,7 +7947,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7977,7 +7977,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -7993,7 +7993,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-570 +Index: geneve-ut-0570 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8006,7 +8006,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-571 +Index: geneve-ut-0571 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -8018,7 +8018,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-572 +Index: geneve-ut-0572 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -8030,7 +8030,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 1 Document count: 1 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* @@ -8042,7 +8042,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* Branch count: 1 Document count: 1 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" @@ -8054,7 +8054,7 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and Branch count: 1 Document count: 1 -Index: geneve-ut-575 +Index: geneve-ut-0575 ```python configuration where event.dataset == "github.audit" and event.action == "org.add_member" @@ -8066,7 +8066,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.add Branch count: 6 Document count: 6 -Index: geneve-ut-576 +Index: geneve-ut-0576 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -8080,7 +8080,7 @@ event.outcome:success Branch count: 4 Document count: 4 -Index: geneve-ut-577 +Index: geneve-ut-0577 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8093,7 +8093,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -8105,7 +8105,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -8119,7 +8119,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -8131,7 +8131,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -8144,7 +8144,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python event.dataset:okta.system and event.category:authentication and @@ -8157,7 +8157,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 10 Document count: 10 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and @@ -8180,7 +8180,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/ Branch count: 2 Document count: 2 -Index: geneve-ut-587 +Index: geneve-ut-0587 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -8192,7 +8192,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -8204,7 +8204,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -8216,7 +8216,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 6 Document count: 6 -Index: geneve-ut-591 +Index: geneve-ut-0591 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8233,7 +8233,7 @@ not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/op Branch count: 36 Document count: 72 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -8248,7 +8248,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 3 Document count: 3 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and @@ -8265,7 +8265,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 2 Document count: 2 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8279,7 +8279,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8291,7 +8291,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8303,7 +8303,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8321,7 +8321,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -8334,7 +8334,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -8349,7 +8349,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 11 Document count: 11 -Index: geneve-ut-601 +Index: geneve-ut-0601 ```python process where host.os.type == "macos" and event.type : "start" and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and @@ -8362,7 +8362,7 @@ process where host.os.type == "macos" and event.type : "start" and process.name Branch count: 32 Document count: 32 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -8391,7 +8391,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python process where host.os.type == "macos" and event.type == "start" and @@ -8411,7 +8411,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8430,7 +8430,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8443,7 +8443,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8459,7 +8459,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8485,7 +8485,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8504,7 +8504,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8532,7 +8532,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-611 +Index: geneve-ut-0611 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8547,7 +8547,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-612 +Index: geneve-ut-0612 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8610,7 +8610,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 14 Document count: 14 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python any where host.os.type == "windows" and @@ -8635,7 +8635,7 @@ any where host.os.type == "windows" and Branch count: 3 Document count: 3 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python registry where host.os.type == "windows" and registry.path : ( @@ -8651,7 +8651,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -8669,7 +8669,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-618 +Index: geneve-ut-0618 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -8681,7 +8681,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 16 Document count: 16 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8698,7 +8698,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-623 +Index: geneve-ut-0623 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -8713,7 +8713,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 16 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python sequence by host.id, process.parent.entity_id with maxspan=5m @@ -8730,7 +8730,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python process where host.os.type == "linux" and event.type == "start" and @@ -8750,7 +8750,7 @@ event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "p Branch count: 2 Document count: 6 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python sequence by host.id, user.name with maxspan = 5s @@ -8779,7 +8779,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-628 +Index: geneve-ut-0628 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8792,7 +8792,7 @@ event.type == "change" and file.name : "notify_on_release" Branch count: 1 Document count: 1 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8805,7 +8805,7 @@ event.type == "change" and file.name : "release_agent" Branch count: 63 Document count: 63 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python process where event.type in ("start", "process_started", "info") and @@ -8829,7 +8829,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 12 Document count: 12 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python any where event.action : ("Directory Service Access", "object-operation-performed") and @@ -8864,7 +8864,7 @@ any where event.action : ("Directory Service Access", "object-operation-performe Branch count: 1 Document count: 1 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python process where host.os.type == "windows" and event.code == "10" and @@ -8882,7 +8882,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python process where host.os.type == "windows" and event.code == "10" and @@ -8905,7 +8905,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -8959,7 +8959,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python sequence by process.entity_id with maxspan=1m @@ -8977,7 +8977,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-636 +Index: geneve-ut-0636 ```python sequence by process.entity_id @@ -8992,7 +8992,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python any where processor.name == "transaction" and @@ -9006,7 +9006,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-640 +Index: geneve-ut-0640 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9027,7 +9027,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9048,7 +9048,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9061,7 +9061,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-648 +Index: geneve-ut-0648 ```python file where host.os.type == "linux" and event.type != "deletion" and file.path == "/etc/doas.conf" @@ -9073,7 +9073,7 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path == Branch count: 2 Document count: 2 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9086,7 +9086,7 @@ process.parent.name == "proot" Branch count: 12 Document count: 12 -Index: geneve-ut-650 +Index: geneve-ut-0650 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9104,7 +9104,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-651 +Index: geneve-ut-0651 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9117,7 +9117,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 4 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python sequence by process.entity_id with maxspan=3m @@ -9141,7 +9141,7 @@ sequence by process.entity_id with maxspan=3m Branch count: 42 Document count: 42 -Index: geneve-ut-653 +Index: geneve-ut-0653 ```python process where event.type == "start" and host.os.type == "windows" and @@ -9157,7 +9157,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-654 +Index: geneve-ut-0654 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9182,7 +9182,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-656 +Index: geneve-ut-0656 ```python process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and @@ -9195,7 +9195,7 @@ process.parent.args == "/etc/rc.local" and process.parent.args == "start" Branch count: 1 Document count: 4 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python sequence by host.id, user.id with maxspan=1s @@ -9217,7 +9217,7 @@ sequence by host.id, user.id with maxspan=1s Branch count: 204 Document count: 204 -Index: geneve-ut-660 +Index: geneve-ut-0660 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9235,7 +9235,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9248,7 +9248,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9261,7 +9261,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9274,7 +9274,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9289,7 +9289,7 @@ not process.parent.command_line like "/opt/cloudlinux/*" Branch count: 60 Document count: 120 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python sequence by host.id with maxspan=1m @@ -9325,7 +9325,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python event.category:process and host.os.type:macos and event.type:start and @@ -9338,7 +9338,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9356,7 +9356,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -9370,7 +9370,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python sequence by host.id with maxspan=30s @@ -9389,7 +9389,7 @@ sequence by host.id with maxspan=30s Branch count: 4 Document count: 4 -Index: geneve-ut-673 +Index: geneve-ut-0673 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9402,7 +9402,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 3 Document count: 6 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python sequence by host.id, process.parent.name with maxspan=1m @@ -9418,7 +9418,7 @@ sequence by host.id, process.parent.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-675 +Index: geneve-ut-0675 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9431,7 +9431,7 @@ process.name == "unshadow" and process.args_count >= 3 Branch count: 168 Document count: 168 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9461,7 +9461,7 @@ process.name in~ ( Branch count: 1 Document count: 10 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -9479,7 +9479,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 458 Document count: 458 -Index: geneve-ut-679 +Index: geneve-ut-0679 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9507,7 +9507,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-680 +Index: geneve-ut-0680 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9526,7 +9526,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-682 +Index: geneve-ut-0682 ```python process where host.os.type == "windows" and @@ -9664,7 +9664,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python process where host.os.type == "windows" and @@ -9735,7 +9735,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python library where host.os.type == "windows" and event.action == "load" and @@ -9752,7 +9752,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 14 Document count: 14 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9778,7 +9778,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-689 +Index: geneve-ut-0689 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -9790,7 +9790,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9831,7 +9831,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-695 +Index: geneve-ut-0695 ```python network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( @@ -9845,7 +9845,7 @@ network where process.name : ("http", "https") and destination.port not in (80, Branch count: 4 Document count: 8 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python sequence by process.entity_id with maxspan=1m @@ -9873,7 +9873,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-698 +Index: geneve-ut-0698 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -9914,7 +9914,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 2 Document count: 2 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python network where host.os.type == "windows" and @@ -9940,7 +9940,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -9953,7 +9953,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 85 Document count: 85 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and @@ -10023,7 +10023,7 @@ file.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10037,7 +10037,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-704 +Index: geneve-ut-0704 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10050,7 +10050,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10073,7 +10073,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10093,7 +10093,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 45 Document count: 45 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python host.os.type:windows and event.category:process and @@ -10130,7 +10130,7 @@ host.os.type:windows and event.category:process and Branch count: 696 Document count: 696 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python event.category:process and host.os.type:windows and @@ -10323,7 +10323,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-711 +Index: geneve-ut-0711 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -10339,7 +10339,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -10353,7 +10353,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10370,7 +10370,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -10384,7 +10384,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -10400,7 +10400,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-719 +Index: geneve-ut-0719 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -10416,7 +10416,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -10428,7 +10428,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -10444,7 +10444,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-722 +Index: geneve-ut-0722 ```python sequence by host.id with maxspan=1m @@ -10464,7 +10464,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -10476,7 +10476,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-726 +Index: geneve-ut-0726 ```python iam where event.action == "renamed-user-account" and @@ -10490,7 +10490,7 @@ iam where event.action == "renamed-user-account" and Branch count: 18 Document count: 18 -Index: geneve-ut-727 +Index: geneve-ut-0727 ```python process where host.os.type == "windows" and event.action == "start" and @@ -10513,7 +10513,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-729 +Index: geneve-ut-0729 ```python sequence by host.id, process.entity_id with maxspan=3s @@ -10534,7 +10534,7 @@ sequence by host.id, process.entity_id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python process where host.os.type == "linux" and event.type == "start" and @@ -10547,7 +10547,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python file where host.os.type == "windows" and @@ -10562,7 +10562,7 @@ file where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-738 +Index: geneve-ut-0738 ```python /* Identifies the modification of RDP Shadow registry or @@ -10589,7 +10589,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10604,7 +10604,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-740 +Index: geneve-ut-0740 ```python sequence with maxspan=1m @@ -10646,7 +10646,7 @@ sequence with maxspan=1m Branch count: 864 Document count: 1728 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python sequence by host.id with maxspan=5s @@ -10666,7 +10666,7 @@ sequence by host.id with maxspan=5s Branch count: 80 Document count: 80 -Index: geneve-ut-742 +Index: geneve-ut-0742 ```python process where event.type in ("start", "process_started") and @@ -10687,7 +10687,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 32 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10701,7 +10701,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 432 Document count: 864 -Index: geneve-ut-744 +Index: geneve-ut-0744 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -10721,7 +10721,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 288 Document count: 576 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python sequence by host.id with maxspan=5s @@ -10750,7 +10750,7 @@ sequence by host.id with maxspan=5s Branch count: 40 Document count: 40 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10766,7 +10766,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-751 +Index: geneve-ut-0751 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -10778,7 +10778,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 2 Document count: 2 -Index: geneve-ut-752 +Index: geneve-ut-0752 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -10792,7 +10792,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 32 Document count: 96 -Index: geneve-ut-754 +Index: geneve-ut-0754 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -10820,7 +10820,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-755 +Index: geneve-ut-0755 ```python sequence by host.id with maxspan=1s @@ -10842,7 +10842,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 8 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -10871,7 +10871,7 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( Branch count: 4 Document count: 4 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10884,7 +10884,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -10900,7 +10900,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10914,7 +10914,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-763 +Index: geneve-ut-0763 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -10944,7 +10944,7 @@ file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10957,7 +10957,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -10973,7 +10973,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-766 +Index: geneve-ut-0766 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10990,7 +10990,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -11003,7 +11003,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 2 Document count: 2 -Index: geneve-ut-768 +Index: geneve-ut-0768 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and @@ -11017,7 +11017,7 @@ process.executable : "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*" a Branch count: 8 Document count: 16 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -11033,7 +11033,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-773 +Index: geneve-ut-0773 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11050,7 +11050,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 16 -Index: geneve-ut-774 +Index: geneve-ut-0774 ```python sequence by okta.actor.id with maxspan=10m @@ -11070,7 +11070,7 @@ sequence by okta.actor.id with maxspan=10m Branch count: 72 Document count: 72 -Index: geneve-ut-775 +Index: geneve-ut-0775 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11086,7 +11086,7 @@ process.parent.name in ("screen", "tmux") and process.name like ( Branch count: 21 Document count: 21 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python event.category:process and host.os.type:windows and @@ -11111,7 +11111,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python event.category:process and host.os.type:windows and @@ -11130,7 +11130,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python event.category:process and host.os.type:windows and @@ -11153,7 +11153,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -11165,7 +11165,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python event.category:process and host.os.type:windows and @@ -11189,7 +11189,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11205,7 +11205,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 80 Document count: 80 -Index: geneve-ut-800 +Index: geneve-ut-0800 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "lp" and @@ -11225,7 +11225,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 4 Document count: 8 -Index: geneve-ut-802 +Index: geneve-ut-0802 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -11258,7 +11258,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 2 Document count: 4 -Index: geneve-ut-803 +Index: geneve-ut-0803 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=1m @@ -11275,7 +11275,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=1m Branch count: 4 Document count: 4 -Index: geneve-ut-804 +Index: geneve-ut-0804 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11289,7 +11289,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-805 +Index: geneve-ut-0805 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -11303,7 +11303,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -11316,7 +11316,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 426 Document count: 426 -Index: geneve-ut-807 +Index: geneve-ut-0807 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -11359,7 +11359,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 12 Document count: 12 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11381,7 +11381,7 @@ registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-809 +Index: geneve-ut-0809 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -11398,7 +11398,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-812 +Index: geneve-ut-0812 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11412,7 +11412,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-813 +Index: geneve-ut-0813 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11426,7 +11426,7 @@ user.id != "0" Branch count: 2 Document count: 2 -Index: geneve-ut-814 +Index: geneve-ut-0814 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11443,7 +11443,7 @@ process.name == "setcap" and not ( Branch count: 96 Document count: 96 -Index: geneve-ut-816 +Index: geneve-ut-0816 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -11518,7 +11518,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-817 +Index: geneve-ut-0817 ```python sequence by winlog.computer_name with maxspan=1m @@ -11539,7 +11539,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-818 +Index: geneve-ut-0818 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11558,7 +11558,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-819 +Index: geneve-ut-0819 ```python process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( @@ -11573,7 +11573,7 @@ not process.parent.name in ("amazon-ssm-agent", "snap") Branch count: 66 Document count: 66 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11628,7 +11628,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11640,7 +11640,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11652,7 +11652,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-823 +Index: geneve-ut-0823 ```python process where host.os.type == "windows" and process.name: "MSBuild.exe" and @@ -11665,7 +11665,7 @@ process where host.os.type == "windows" and process.name: "MSBuild.exe" and Branch count: 114 Document count: 114 -Index: geneve-ut-824 +Index: geneve-ut-0824 ```python process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and @@ -11708,7 +11708,7 @@ not ( Branch count: 3 Document count: 6 -Index: geneve-ut-826 +Index: geneve-ut-0826 ```python sequence by host.id with maxspan=5s @@ -11740,7 +11740,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 4 -Index: geneve-ut-827 +Index: geneve-ut-0827 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -11753,7 +11753,7 @@ process.name : "* " Branch count: 1 Document count: 1 -Index: geneve-ut-828 +Index: geneve-ut-0828 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11775,7 +11775,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-829 +Index: geneve-ut-0829 ```python process where event.action == "exec" and host.os.type == "macos" and @@ -11795,7 +11795,7 @@ process where event.action == "exec" and host.os.type == "macos" and Branch count: 4 Document count: 4 -Index: geneve-ut-830 +Index: geneve-ut-0830 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11808,7 +11808,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-831 +Index: geneve-ut-0831 ```python sequence by process.entity_id @@ -11832,7 +11832,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-832 +Index: geneve-ut-0832 ```python file where event.action == "extended_attributes_delete" and host.os.type == "macos" and process.executable != null and @@ -11851,7 +11851,7 @@ file.path : "/private/var/folders/*" Branch count: 2 Document count: 2 -Index: geneve-ut-835 +Index: geneve-ut-0835 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11871,7 +11871,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 8 -Index: geneve-ut-836 +Index: geneve-ut-0836 ```python sequence by process.entity_id with maxspan=1m @@ -11886,7 +11886,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-840 +Index: geneve-ut-0840 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -11898,7 +11898,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-841 +Index: geneve-ut-0841 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -11910,7 +11910,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 3 Document count: 3 -Index: geneve-ut-847 +Index: geneve-ut-0847 ```python registry where host.os.type == "windows" and @@ -11928,7 +11928,7 @@ registry where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-848 +Index: geneve-ut-0848 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11956,7 +11956,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 18 Document count: 18 -Index: geneve-ut-850 +Index: geneve-ut-0850 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11971,7 +11971,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 13 Document count: 13 -Index: geneve-ut-852 +Index: geneve-ut-0852 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11988,7 +11988,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-853 +Index: geneve-ut-0853 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -12011,7 +12011,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12025,7 +12025,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-855 +Index: geneve-ut-0855 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12039,7 +12039,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-856 +Index: geneve-ut-0856 ```python sequence by process.entity_id with maxspan=30s @@ -12063,7 +12063,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-857 +Index: geneve-ut-0857 ```python sequence by host.id, process.entity_id @@ -12079,7 +12079,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12094,7 +12094,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-859 +Index: geneve-ut-0859 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -12114,7 +12114,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 1 Document count: 1 -Index: geneve-ut-860 +Index: geneve-ut-0860 ```python iam where event.action == "scheduled-task-created" and @@ -12127,7 +12127,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 2 -Index: geneve-ut-862 +Index: geneve-ut-0862 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -12169,7 +12169,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-863 +Index: geneve-ut-0863 ```python sequence with maxspan=1m @@ -12192,7 +12192,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-864 +Index: geneve-ut-0864 ```python sequence with maxspan=1s @@ -12240,7 +12240,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-865 +Index: geneve-ut-0865 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12253,7 +12253,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-867 +Index: geneve-ut-0867 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12273,7 +12273,7 @@ process.name in ("update-ca-trust", "update-ca-certificates") and not ( Branch count: 2 Document count: 4 -Index: geneve-ut-868 +Index: geneve-ut-0868 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=30s @@ -12290,7 +12290,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=30s Branch count: 48 Document count: 48 -Index: geneve-ut-869 +Index: geneve-ut-0869 ```python (event.dataset: (network_traffic.http or network_traffic.tls) or @@ -12337,7 +12337,7 @@ Index: geneve-ut-869 Branch count: 1 Document count: 1 -Index: geneve-ut-870 +Index: geneve-ut-0870 ```python event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com @@ -12350,7 +12350,7 @@ event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com Branch count: 4 Document count: 4 -Index: geneve-ut-871 +Index: geneve-ut-0871 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") @@ -12363,7 +12363,7 @@ and file.path : "/etc/selinux/config" Branch count: 32 Document count: 32 -Index: geneve-ut-872 +Index: geneve-ut-0872 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and @@ -12384,7 +12384,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-875 +Index: geneve-ut-0875 ```python (event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 @@ -12396,7 +12396,7 @@ Index: geneve-ut-875 Branch count: 6 Document count: 6 -Index: geneve-ut-877 +Index: geneve-ut-0877 ```python file where container.id:"*" and @@ -12409,7 +12409,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-878 +Index: geneve-ut-0878 ```python process where container.id: "*" and event.type == "start" and @@ -12430,7 +12430,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-879 +Index: geneve-ut-0879 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and @@ -12444,7 +12444,7 @@ not file.name : "known_hosts.*" Branch count: 6 Document count: 6 -Index: geneve-ut-880 +Index: geneve-ut-0880 ```python process where container.id: "*" and event.type== "start" and @@ -12458,7 +12458,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 2 Document count: 2 -Index: geneve-ut-881 +Index: geneve-ut-0881 ```python file where host.os.type == "linux" and event.type == "deletion" and file.path : "/etc/ssl/certs/*" and @@ -12471,7 +12471,7 @@ file.extension in ("pem", "crt") and not process.name in ("dockerd", "pacman") Branch count: 36 Document count: 36 -Index: geneve-ut-884 +Index: geneve-ut-0884 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12489,7 +12489,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-886 +Index: geneve-ut-0886 ```python sequence by host.id with maxspan = 30s @@ -12510,7 +12510,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 4 -Index: geneve-ut-888 +Index: geneve-ut-0888 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12526,7 +12526,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-889 +Index: geneve-ut-0889 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12541,7 +12541,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 27 Document count: 27 -Index: geneve-ut-890 +Index: geneve-ut-0890 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -12582,7 +12582,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-892 +Index: geneve-ut-0892 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -12616,7 +12616,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-893 +Index: geneve-ut-0893 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12630,7 +12630,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-894 +Index: geneve-ut-0894 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12644,7 +12644,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 116 Document count: 116 -Index: geneve-ut-895 +Index: geneve-ut-0895 ```python process where event.type == "start" and @@ -12705,7 +12705,7 @@ process.name : "grep" and user.id != "0" and Branch count: 270 Document count: 270 -Index: geneve-ut-898 +Index: geneve-ut-0898 ```python process where container.id: "*" and event.type== "start" and @@ -12748,7 +12748,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-899 +Index: geneve-ut-0899 ```python process where container.id: "*" and event.type== "start" and @@ -12772,7 +12772,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-900 +Index: geneve-ut-0900 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -12785,7 +12785,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 6 Document count: 6 -Index: geneve-ut-901 +Index: geneve-ut-0901 ```python file where host.os.type == "windows" and @@ -12806,7 +12806,7 @@ file where host.os.type == "windows" and Branch count: 16 Document count: 32 -Index: geneve-ut-902 +Index: geneve-ut-0902 ```python sequence by process.entity_id with maxspan = 1m @@ -12823,7 +12823,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-903 +Index: geneve-ut-0903 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -12843,7 +12843,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-904 +Index: geneve-ut-0904 ```python sequence by winlog.computer_name with maxspan=5m @@ -12867,7 +12867,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-905 +Index: geneve-ut-0905 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12882,7 +12882,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-906 +Index: geneve-ut-0906 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12903,7 +12903,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-907 +Index: geneve-ut-0907 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12926,7 +12926,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-908 +Index: geneve-ut-0908 ```python process where event.type == "start" and process.name : "sc.exe" and @@ -12939,7 +12939,7 @@ process where event.type == "start" and process.name : "sc.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -12955,7 +12955,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-910 +Index: geneve-ut-0910 ```python file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and @@ -12968,7 +12968,7 @@ file.path == "/etc/shadow" and file.Ext.original.path != null Branch count: 1 Document count: 1 -Index: geneve-ut-911 +Index: geneve-ut-0911 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -12980,7 +12980,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 264 Document count: 264 -Index: geneve-ut-913 +Index: geneve-ut-0913 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( @@ -13028,7 +13028,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an Branch count: 72 Document count: 144 -Index: geneve-ut-914 +Index: geneve-ut-0914 ```python sequence by host.id with maxspan=5s @@ -13042,7 +13042,7 @@ sequence by host.id with maxspan=5s Branch count: 162 Document count: 162 -Index: geneve-ut-915 +Index: geneve-ut-0915 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -13064,7 +13064,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-916 +Index: geneve-ut-0916 ```python process where host.os.type == "windows" and event.type == "start" @@ -13078,7 +13078,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 4 Document count: 4 -Index: geneve-ut-917 +Index: geneve-ut-0917 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13092,7 +13092,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 28 Document count: 28 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Start" and @@ -13117,7 +13117,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 12 Document count: 24 -Index: geneve-ut-932 +Index: geneve-ut-0932 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -13142,7 +13142,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-933 +Index: geneve-ut-0933 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13175,7 +13175,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-936 +Index: geneve-ut-0936 ```python beacon_stats.is_beaconing: true and @@ -13193,7 +13193,7 @@ not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or " Branch count: 1 Document count: 1 -Index: geneve-ut-937 +Index: geneve-ut-0937 ```python beacon_stats.beaconing_score: 3 @@ -13205,7 +13205,7 @@ beacon_stats.beaconing_score: 3 Branch count: 2 Document count: 6 -Index: geneve-ut-938 +Index: geneve-ut-0938 ```python sequence by user.name with maxspan=12h @@ -13220,7 +13220,7 @@ sequence by user.name with maxspan=12h Branch count: 4 Document count: 4 -Index: geneve-ut-939 +Index: geneve-ut-0939 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -13245,7 +13245,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-941 +Index: geneve-ut-0941 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13260,7 +13260,7 @@ not process.args == "dpkg" Branch count: 16 Document count: 16 -Index: geneve-ut-944 +Index: geneve-ut-0944 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13274,7 +13274,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-945 +Index: geneve-ut-0945 ```python event.category:process and host.os.type:windows and @@ -13305,7 +13305,7 @@ event.category:process and host.os.type:windows and Branch count: 16 Document count: 16 -Index: geneve-ut-946 +Index: geneve-ut-0946 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13320,7 +13320,7 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en Branch count: 152 Document count: 304 -Index: geneve-ut-947 +Index: geneve-ut-0947 ```python sequence by host.id with maxspan=5s @@ -13342,7 +13342,7 @@ sequence by host.id with maxspan=5s Branch count: 8 Document count: 16 -Index: geneve-ut-948 +Index: geneve-ut-0948 ```python sequence by host.id with maxspan=5s @@ -13369,7 +13369,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-950 +Index: geneve-ut-0950 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -13381,7 +13381,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 2 Document count: 2 -Index: geneve-ut-951 +Index: geneve-ut-0951 ```python file where host.os.type == "windows" and event.type != "deletion" and file.path != null and @@ -13394,7 +13394,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path Branch count: 2 Document count: 4 -Index: geneve-ut-952 +Index: geneve-ut-0952 ```python sequence by host.id with maxspan=30s @@ -13408,7 +13408,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-953 +Index: geneve-ut-0953 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13440,7 +13440,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-954 +Index: geneve-ut-0954 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -13464,7 +13464,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-955 +Index: geneve-ut-0955 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13478,7 +13478,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-956 +Index: geneve-ut-0956 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13501,7 +13501,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-957 +Index: geneve-ut-0957 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13515,7 +13515,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 60 Document count: 60 -Index: geneve-ut-958 +Index: geneve-ut-0958 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13745,7 +13745,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-959 +Index: geneve-ut-0959 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -13761,7 +13761,7 @@ not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*n Branch count: 1 Document count: 1 -Index: geneve-ut-960 +Index: geneve-ut-0960 ```python file where host.os.type == "macos" and event.type != "deletion" and process.name != null and @@ -13774,7 +13774,7 @@ file where host.os.type == "macos" and event.type != "deletion" and process.name Branch count: 249 Document count: 249 -Index: geneve-ut-961 +Index: geneve-ut-0961 ```python any where host.os.type == "windows" and @@ -13851,7 +13851,7 @@ any where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-963 +Index: geneve-ut-0963 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -13867,7 +13867,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 44 Document count: 44 -Index: geneve-ut-964 +Index: geneve-ut-0964 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13903,7 +13903,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-965 +Index: geneve-ut-0965 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13939,7 +13939,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 88 Document count: 88 -Index: geneve-ut-966 +Index: geneve-ut-0966 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13974,7 +13974,7 @@ process.parent.name in ("foomatic-rip", "cupsd") and process.command_line like ( Branch count: 8 Document count: 8 -Index: geneve-ut-967 +Index: geneve-ut-0967 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13989,7 +13989,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-968 +Index: geneve-ut-0968 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and @@ -14005,7 +14005,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 14 Document count: 14 -Index: geneve-ut-972 +Index: geneve-ut-0972 ```python process where host.os.type == "windows" and event.type : "start" and @@ -14033,7 +14033,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-973 +Index: geneve-ut-0973 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14057,7 +14057,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-975 +Index: geneve-ut-0975 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and @@ -14078,7 +14078,7 @@ file where host.os.type == "linux" and event.action in ("creation", "file_create Branch count: 2 Document count: 2 -Index: geneve-ut-979 +Index: geneve-ut-0979 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -14091,7 +14091,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 30 Document count: 30 -Index: geneve-ut-980 +Index: geneve-ut-0980 ```python any where host.os.type == "windows" and @@ -14106,7 +14106,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-981 +Index: geneve-ut-0981 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -14125,7 +14125,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-983 +Index: geneve-ut-0983 ```python process where container.id: "*" and @@ -14146,7 +14146,7 @@ process.args: "*/*sh" Branch count: 1 Document count: 1 -Index: geneve-ut-985 +Index: geneve-ut-0985 ```python process where host.os.type == "linux" and event.action == "session_id_change" and process.name : "kworker*" and @@ -14159,7 +14159,7 @@ user.id == "0" Branch count: 1 Document count: 1 -Index: geneve-ut-986 +Index: geneve-ut-0986 ```python process where host.os.type == "windows" and event.code == "10" and @@ -14178,7 +14178,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 1 Document count: 1 -Index: geneve-ut-987 +Index: geneve-ut-0987 ```python process where host.os.type == "windows" and event.code == "10" and @@ -14213,7 +14213,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 52 Document count: 52 -Index: geneve-ut-989 +Index: geneve-ut-0989 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14234,7 +14234,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-990 +Index: geneve-ut-0990 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -14254,7 +14254,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 24 Document count: 24 -Index: geneve-ut-991 +Index: geneve-ut-0991 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -14267,7 +14267,7 @@ process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack Branch count: 14 Document count: 14 -Index: geneve-ut-994 +Index: geneve-ut-0994 ```python file where host.os.type == "linux" and event.type == "creation" and event.action : ("creation", "file_create_event") and @@ -14280,7 +14280,7 @@ file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.servic Branch count: 4 Document count: 4 -Index: geneve-ut-996 +Index: geneve-ut-0996 ```python any where event.category in ("library", "driver") and host.os.type == "windows" and @@ -14360,7 +14360,7 @@ any where event.category in ("library", "driver") and host.os.type == "windows" Branch count: 28 Document count: 28 -Index: geneve-ut-999 +Index: geneve-ut-0999 ```python process where container.id: "*" and event.type== "start" and diff --git a/tests/reports/alerts_from_rules-8.13.md b/tests/reports/alerts_from_rules-8.13.md index e8fdc573..71bbaced 100644 --- a/tests/reports/alerts_from_rules-8.13.md +++ b/tests/reports/alerts_from_rules-8.13.md @@ -19,7 +19,7 @@ Rules version: 8.13.22 Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python sequence by host.id, user.id with maxspan=1m @@ -44,7 +44,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -63,7 +63,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -82,7 +82,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -142,7 +142,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -159,7 +159,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 8748 Document count: 17496 -Index: geneve-ut-891 +Index: geneve-ut-0891 ```python sequence with maxspan=1m @@ -264,7 +264,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -277,7 +277,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -290,7 +290,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4 Document count: 8 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -310,7 +310,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 Failure message(s): got 1000 signals, expected 4608 @@ -337,7 +337,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 Failure message(s): got 1000 signals, expected 1024 @@ -358,7 +358,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 Failure message(s): got 1000 signals, expected 1024 @@ -379,7 +379,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 6 Document count: 12 -Index: geneve-ut-754 +Index: geneve-ut-0754 Failure message(s): got 5 signals, expected 6 @@ -396,7 +396,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 Failure message(s): got 1000 signals, expected 1794 @@ -458,7 +458,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 Failure message(s): got 1000 signals, expected 2048 @@ -477,7 +477,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 32 Document count: 64 -Index: geneve-ut-841 +Index: geneve-ut-0841 Failure message(s): got 24 signals, expected 32 @@ -502,7 +502,7 @@ sequence by host.id, process.pid with maxspan=1s Branch count: 8748 Document count: 17496 -Index: geneve-ut-891 +Index: geneve-ut-0891 Failure message(s): got 1000 signals, expected 8748 @@ -632,7 +632,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -659,7 +659,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -689,7 +689,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 8 Document count: 8 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -725,7 +725,7 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -737,7 +737,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail @@ -752,7 +752,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -764,7 +764,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -776,7 +776,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -788,7 +788,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -800,7 +800,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -812,7 +812,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -827,7 +827,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -839,7 +839,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python process where event.module == "cloud_defend" and @@ -856,7 +856,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -869,7 +869,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -881,7 +881,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -895,7 +895,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset: aws.cloudtrail @@ -910,7 +910,7 @@ event.dataset: aws.cloudtrail Branch count: 2 Document count: 2 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -922,7 +922,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -934,7 +934,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 6 Document count: 6 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset: "aws.cloudtrail" @@ -955,7 +955,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -967,7 +967,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -979,7 +979,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-033 +Index: geneve-ut-0033 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -992,7 +992,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -1005,7 +1005,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -1019,7 +1019,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -1032,7 +1032,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -1044,7 +1044,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -1056,7 +1056,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -1068,7 +1068,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -1080,7 +1080,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -1092,7 +1092,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" @@ -1105,7 +1105,7 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -1117,7 +1117,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail @@ -1132,7 +1132,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset: aws.cloudtrail @@ -1148,7 +1148,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail @@ -1163,7 +1163,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -1175,7 +1175,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -1187,7 +1187,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-057 +Index: geneve-ut-0057 ```python event.dataset: "aws.cloudtrail" @@ -1202,7 +1202,7 @@ event.dataset: "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python event.dataset: aws.cloudtrail @@ -1217,7 +1217,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -1229,7 +1229,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -1241,7 +1241,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python any where event.dataset == "aws.cloudtrail" @@ -1256,7 +1256,7 @@ any where event.dataset == "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" @@ -1269,7 +1269,7 @@ event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -1281,7 +1281,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -1293,7 +1293,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -1305,7 +1305,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -1317,7 +1317,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -1329,7 +1329,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -1341,7 +1341,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-076 +Index: geneve-ut-0076 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -1356,7 +1356,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-077 +Index: geneve-ut-0077 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -1368,7 +1368,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-078 +Index: geneve-ut-0078 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -1380,7 +1380,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-079 +Index: geneve-ut-0079 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1393,7 +1393,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1406,7 +1406,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1419,7 +1419,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1434,7 +1434,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1447,7 +1447,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1459,7 +1459,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1471,7 +1471,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1483,7 +1483,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1499,7 +1499,7 @@ Index: geneve-ut-108 Branch count: 4 Document count: 4 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python process where host.os.type == "linux" and event.type == "start" and @@ -1516,7 +1516,7 @@ process.name == "setfacl" and not ( Branch count: 12 Document count: 12 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1561,7 +1561,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 8 Document count: 8 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and @@ -1596,7 +1596,7 @@ any where event.action in ("Directory Service Access", "object-operation-perform Branch count: 4 Document count: 4 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1613,7 +1613,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1633,7 +1633,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python sequence by winlog.computer_name with maxspan=1m @@ -1661,7 +1661,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 48 Document count: 48 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -1679,7 +1679,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 1 Document count: 1 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python iam where winlog.api == "wineventlog" and event.code == "4728" and @@ -1695,7 +1695,7 @@ not group.id : "S-1-5-21-*-513" Branch count: 36 Document count: 36 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1715,7 +1715,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1729,7 +1729,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and @@ -1742,7 +1742,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 1 Document count: 1 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1754,7 +1754,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1766,7 +1766,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1781,7 +1781,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1793,7 +1793,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.agent_id_status:(agent_id_mismatch or mismatch) @@ -1805,7 +1805,7 @@ event.agent_id_status:(agent_id_mismatch or mismatch) Branch count: 1 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1824,7 +1824,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1840,7 +1840,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1852,7 +1852,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1867,7 +1867,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 8 Document count: 8 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python file where host.os.type == "linux" and @@ -1897,7 +1897,7 @@ event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/* Branch count: 1 Document count: 1 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1909,7 +1909,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 4 Document count: 4 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -1922,7 +1922,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1934,7 +1934,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1946,7 +1946,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1958,7 +1958,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1970,7 +1970,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1982,7 +1982,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1994,7 +1994,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.dataset:okta.system and event.action:zone.delete @@ -2006,7 +2006,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -2018,7 +2018,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -2030,7 +2030,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 20 Document count: 20 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -2047,7 +2047,7 @@ process.args in ("auditd", "auditd.service") Branch count: 2 Document count: 2 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2060,7 +2060,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 74 Document count: 74 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2088,7 +2088,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2104,7 +2104,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2117,7 +2117,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2131,7 +2131,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2150,7 +2150,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2165,7 +2165,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -2177,7 +2177,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -2189,7 +2189,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -2201,7 +2201,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -2213,7 +2213,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -2232,7 +2232,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -2244,7 +2244,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -2256,7 +2256,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2269,7 +2269,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -2281,7 +2281,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 3 Document count: 3 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2311,7 +2311,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -2326,7 +2326,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2340,7 +2340,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python event.dataset:azure.signinlogs and @@ -2354,7 +2354,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python event.dataset:azure.signinlogs and @@ -2367,7 +2367,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.dataset:azure.signinlogs and @@ -2381,7 +2381,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -2394,7 +2394,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -2406,7 +2406,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -2418,7 +2418,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python event.dataset:azure.activitylogs and @@ -2437,7 +2437,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python event.dataset:azure.activitylogs and @@ -2451,7 +2451,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python event.dataset:azure.activitylogs and @@ -2469,7 +2469,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2481,7 +2481,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2496,7 +2496,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2508,7 +2508,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2521,7 +2521,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2533,7 +2533,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2545,7 +2545,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2557,7 +2557,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -2569,7 +2569,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 2 Document count: 2 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2581,7 +2581,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2593,7 +2593,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2611,7 +2611,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2627,7 +2627,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2639,7 +2639,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2652,7 +2652,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2665,7 +2665,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2680,7 +2680,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2692,7 +2692,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2704,7 +2704,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2716,7 +2716,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2728,7 +2728,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2740,7 +2740,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2752,7 +2752,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2770,7 +2770,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and @@ -2784,7 +2784,7 @@ not process.parent.executable == "/usr/sbin/libvirtd" Branch count: 16 Document count: 16 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -2798,7 +2798,7 @@ not process.args in ("--help", "--version") Branch count: 9 Document count: 9 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python event.category:file and event.type:change and @@ -2823,7 +2823,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2838,7 +2838,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2853,7 +2853,7 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ Branch count: 13 Document count: 13 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2875,7 +2875,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python file where host.os.type == "windows" and event.type : "creation" and @@ -2904,7 +2904,7 @@ file where host.os.type == "windows" and event.type : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2922,7 +2922,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2942,7 +2942,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 24 Document count: 24 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2958,7 +2958,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2980,7 +2980,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2994,7 +2994,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3012,7 +3012,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -3032,7 +3032,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python sequence by process.entity_id @@ -3055,7 +3055,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3072,7 +3072,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3134,7 +3134,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python library where host.os.type == "windows" and event.action == "load" and @@ -3164,7 +3164,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 24 Document count: 24 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3189,7 +3189,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python sequence by process.entity_id @@ -3210,7 +3210,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python sequence by process.entity_id @@ -3231,7 +3231,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python process where container.id: "*" and event.type== "start" @@ -3244,7 +3244,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python event.kind:alert and event.module:cloud_defend @@ -3256,7 +3256,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 24 Document count: 24 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3282,7 +3282,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3302,7 +3302,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -3315,7 +3315,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and @@ -3328,7 +3328,7 @@ not process.name == "dockerd" Branch count: 2 Document count: 2 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and @@ -3343,7 +3343,7 @@ file.extension == "ko" and not process.name : ( Branch count: 1 Document count: 1 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -3360,7 +3360,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -3374,7 +3374,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 3 Document count: 3 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3391,7 +3391,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -3403,7 +3403,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 12 Document count: 12 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Blob" and @@ -3452,7 +3452,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and @@ -3470,7 +3470,7 @@ file where host.os.type == "windows" and event.type != "deletion" and event.acti Branch count: 8 Document count: 8 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3485,7 +3485,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3497,7 +3497,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3509,7 +3509,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3521,7 +3521,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3533,7 +3533,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 80 Document count: 80 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python file where host.os.type == "linux" and @@ -3575,7 +3575,7 @@ event.action in ("rename", "creation") and file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3595,7 +3595,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 128 Document count: 128 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3617,7 +3617,7 @@ process.name == "curl" and ( Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -3629,7 +3629,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python event.dataset:cyberarkpas.audit and @@ -3644,7 +3644,7 @@ event.dataset:cyberarkpas.audit and Branch count: 16 Document count: 16 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -3675,7 +3675,7 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* Branch count: 3 Document count: 3 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3691,7 +3691,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 5 Document count: 5 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3709,7 +3709,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -3724,7 +3724,7 @@ Index: geneve-ut-264 Branch count: 2 Document count: 2 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3738,7 +3738,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3752,7 +3752,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "mkdir" and @@ -3766,7 +3766,7 @@ not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir") Branch count: 12 Document count: 12 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3788,7 +3788,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3805,7 +3805,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3830,7 +3830,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3847,7 +3847,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3862,7 +3862,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3874,7 +3874,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3887,7 +3887,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3899,7 +3899,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 10 Document count: 20 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python sequence by process.entity_id with maxspan=1m @@ -3917,7 +3917,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 24 Document count: 24 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -3952,7 +3952,7 @@ not ( Branch count: 12 Document count: 12 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3967,7 +3967,7 @@ not process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewag Branch count: 108 Document count: 108 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3983,7 +3983,7 @@ not process.parent.executable == "/usr/share/qemu/init/qemu-kvm-init" Branch count: 12 Document count: 12 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3997,7 +3997,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 2 Document count: 2 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -4009,7 +4009,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 1 Document count: 2 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python sequence by host.id with maxspan=3s @@ -4032,7 +4032,7 @@ sequence by host.id with maxspan=3s Branch count: 203 Document count: 203 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python process where @@ -4063,7 +4063,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -4076,7 +4076,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4090,7 +4090,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python registry where host.os.type == "windows" and @@ -4104,7 +4104,7 @@ registry where host.os.type == "windows" and Branch count: 14 Document count: 14 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4135,7 +4135,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -4147,7 +4147,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 3 Document count: 3 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python event.dataset:(azure.activitylogs or azure.signinlogs) @@ -4164,7 +4164,7 @@ event.dataset:(azure.activitylogs or azure.signinlogs) Branch count: 2 Document count: 2 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4178,7 +4178,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4197,7 +4197,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4224,7 +4224,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 276 Document count: 276 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -4255,7 +4255,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python event.category:process and host.os.type:windows and @@ -4268,7 +4268,7 @@ event.category:process and host.os.type:windows and Branch count: 378 Document count: 378 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4297,7 +4297,7 @@ process.args : ( Branch count: 64 Document count: 64 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -4325,7 +4325,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4338,7 +4338,7 @@ process.name : ("kworker*", "kthread*") and process.executable != null Branch count: 4 Document count: 8 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python sequence by process.entity_id with maxspan=5m @@ -4358,7 +4358,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 4 Document count: 4 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4377,7 +4377,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 72 Document count: 144 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python sequence with maxspan=2h @@ -4403,7 +4403,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python sequence with maxspan=2h @@ -4428,7 +4428,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -4457,7 +4457,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -4469,7 +4469,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -4492,7 +4492,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python sequence by user.id with maxspan=5s @@ -4507,7 +4507,7 @@ sequence by user.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -4519,7 +4519,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 6 Document count: 6 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4534,7 +4534,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python process where host.os.type == "windows" and event.type : "start" and @@ -4556,7 +4556,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -4568,7 +4568,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4582,7 +4582,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -4595,7 +4595,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4607,7 +4607,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4619,7 +4619,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4633,7 +4633,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -4645,7 +4645,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 1 Document count: 1 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python file where host.os.type == "windows" and event.code : "2" and @@ -4677,7 +4677,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 16 Document count: 32 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python sequence by host.id with maxspan=10s @@ -4694,7 +4694,7 @@ sequence by host.id with maxspan=10s Branch count: 4 Document count: 4 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( @@ -4708,7 +4708,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 20 Document count: 20 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -4724,7 +4724,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -4739,7 +4739,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python process where event.module == "cloud_defend" and @@ -4754,7 +4754,7 @@ process where event.module == "cloud_defend" and Branch count: 375 Document count: 750 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python sequence by process.entity_id @@ -4781,7 +4781,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4802,7 +4802,7 @@ not ( Branch count: 2 Document count: 2 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python process where host.os.type == "linux" and event.type == "start" and process.parent.executable != null and @@ -4821,7 +4821,7 @@ process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and n Branch count: 11 Document count: 11 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4847,7 +4847,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4877,7 +4877,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python event.dataset: google_workspace.alert @@ -4889,7 +4889,7 @@ event.dataset: google_workspace.alert Branch count: 8 Document count: 8 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python registry where host.os.type == "windows" and @@ -4907,7 +4907,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4919,7 +4919,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4931,7 +4931,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4943,7 +4943,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4955,7 +4955,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -4967,7 +4967,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -4979,7 +4979,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -4991,7 +4991,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -5003,7 +5003,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -5015,7 +5015,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -5027,7 +5027,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -5039,7 +5039,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -5051,7 +5051,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -5063,7 +5063,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -5075,7 +5075,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -5087,7 +5087,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -5099,7 +5099,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -5111,7 +5111,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -5123,7 +5123,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -5135,7 +5135,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -5147,7 +5147,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -5159,7 +5159,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -5171,7 +5171,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -5183,7 +5183,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 575 Document count: 575 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ( @@ -5207,7 +5207,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 64 Document count: 128 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python sequence by host.id with maxspan=3s @@ -5225,7 +5225,7 @@ sequence by host.id with maxspan=3s Branch count: 4 Document count: 4 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and @@ -5253,7 +5253,7 @@ file.extension == null and process.executable != null and not ( Branch count: 8 Document count: 16 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python sequence by host.id with maxspan=3s @@ -5278,7 +5278,7 @@ sequence by host.id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" @@ -5290,7 +5290,7 @@ configuration where event.dataset == "github.audit" and github.category == "inte Branch count: 1 Document count: 1 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -5302,7 +5302,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" @@ -5314,7 +5314,7 @@ configuration where event.dataset == "github.audit" and event.action == "persona Branch count: 1 Document count: 1 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python configuration where event.dataset == "github.audit" @@ -5327,7 +5327,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python configuration where event.dataset == "github.audit" and event.action == "repo.create" @@ -5339,7 +5339,7 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr Branch count: 1 Document count: 1 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -5351,7 +5351,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python configuration where event.dataset == "github.audit" and event.action == "org.block_user" @@ -5363,7 +5363,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.blo Branch count: 1 Document count: 1 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -5376,7 +5376,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -5388,7 +5388,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python event.dataset:google_workspace.admin @@ -5404,7 +5404,7 @@ event.dataset:google_workspace.admin Branch count: 1 Document count: 1 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -5417,7 +5417,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -5429,7 +5429,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5442,7 +5442,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -5454,7 +5454,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -5467,7 +5467,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -5484,7 +5484,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -5498,7 +5498,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python sequence by source.user.email with maxspan=3m @@ -5522,7 +5522,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -5543,7 +5543,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5557,7 +5557,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -5569,7 +5569,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -5581,7 +5581,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -5594,7 +5594,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5607,7 +5607,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -5628,7 +5628,7 @@ process.name == "mkdir" and process.parent.executable like ( Branch count: 1 Document count: 1 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags" @@ -5640,7 +5640,7 @@ file where host.os.type == "linux" and event.type == "creation" and process.name Branch count: 1 Document count: 2 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python sequence by process.entity_id with maxspan=5m @@ -5657,7 +5657,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python any where @@ -5686,7 +5686,7 @@ any where Branch count: 12 Document count: 12 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5699,7 +5699,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5714,7 +5714,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -5726,7 +5726,7 @@ Index: geneve-ut-439 Branch count: 8 Document count: 8 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5743,7 +5743,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python sequence with maxspan=1m @@ -5762,7 +5762,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python sequence by host.id with maxspan=1m @@ -5780,7 +5780,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python sequence by host.id with maxspan=5s @@ -5799,7 +5799,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python sequence by host.id with maxspan = 30s @@ -5815,7 +5815,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python sequence by host.id with maxspan=30s @@ -5831,7 +5831,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5844,7 +5844,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python event.dataset: "aws.cloudtrail" @@ -5862,7 +5862,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5875,7 +5875,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -5891,7 +5891,7 @@ sequence by process.entity_id Branch count: 3 Document count: 3 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5914,7 +5914,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5935,7 +5935,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python process where container.id : "*" and event.type== "start" and @@ -5956,7 +5956,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -5969,7 +5969,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -5987,7 +5987,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python iam where event.action == "modified-user-account" and event.code == "4738" and @@ -6000,7 +6000,7 @@ iam where event.action == "modified-user-account" and event.code == "4738" and Branch count: 2 Document count: 2 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -6014,7 +6014,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -6073,7 +6073,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -6086,7 +6086,7 @@ auditd.data.syscall in ("init_module", "finit_module") Branch count: 2 Document count: 2 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -6099,7 +6099,7 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" Branch count: 24 Document count: 24 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6113,7 +6113,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" and @@ -6129,7 +6129,7 @@ not process.parent.executable like ( Branch count: 60 Document count: 60 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -6144,7 +6144,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 28 Document count: 28 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python process where host.os.type == "macos" and event.action == "exec" and @@ -6160,7 +6160,7 @@ process where host.os.type == "macos" and event.action == "exec" and Branch count: 1 Document count: 1 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -6172,7 +6172,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python event.dataset:kubernetes.audit_logs @@ -6187,7 +6187,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python event.dataset: "kubernetes.audit_logs" @@ -6201,7 +6201,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python event.dataset : "kubernetes.audit_logs" @@ -6217,7 +6217,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python event.dataset : "kubernetes.audit_logs" @@ -6234,7 +6234,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python event.dataset : "kubernetes.audit_logs" @@ -6251,7 +6251,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python event.dataset : "kubernetes.audit_logs" @@ -6268,7 +6268,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python event.dataset : "kubernetes.audit_logs" @@ -6301,7 +6301,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python event.dataset : "kubernetes.audit_logs" @@ -6318,7 +6318,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python event.dataset : "kubernetes.audit_logs" @@ -6335,7 +6335,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python event.dataset : "kubernetes.audit_logs" @@ -6352,7 +6352,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python event.dataset : "kubernetes.audit_logs" @@ -6368,7 +6368,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -6406,7 +6406,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python any where event.action == "File System" and event.code == "4656" and @@ -6441,7 +6441,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python api where host.os.type == "windows" and @@ -6514,7 +6514,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6532,7 +6532,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python sequence by host.id with maxspan=1m @@ -6548,7 +6548,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python sequence by host.id with maxspan=1m @@ -6562,7 +6562,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6577,7 +6577,7 @@ process.args != "1" Branch count: 609 Document count: 609 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python process where host.os.type == "linux" and event.type == "start" and @@ -6639,7 +6639,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 72 Document count: 72 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6653,7 +6653,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 64 Document count: 64 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -6669,7 +6669,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 240 Document count: 240 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6688,7 +6688,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -6706,7 +6706,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 600 Document count: 1200 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python sequence with maxspan=1m @@ -6731,7 +6731,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -6743,7 +6743,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 64 Document count: 64 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("AccessVBOM", "VbaWarnings") and @@ -6778,7 +6778,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 84 Document count: 168 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python sequence by host.id with maxspan=15s @@ -6792,7 +6792,7 @@ sequence by host.id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com @@ -6804,7 +6804,7 @@ ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.c Branch count: 1 Document count: 1 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com @@ -6816,7 +6816,7 @@ ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmclo Branch count: 2 Document count: 2 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6828,7 +6828,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6840,7 +6840,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python configuration where event.dataset == "github.audit" and event.action == "org.remove_member" @@ -6852,7 +6852,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.rem Branch count: 8 Document count: 8 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -6884,7 +6884,7 @@ file.path : "/etc/update-motd.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -6896,7 +6896,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -6908,7 +6908,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -6920,7 +6920,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -6932,7 +6932,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -6944,7 +6944,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -6956,7 +6956,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -6968,7 +6968,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -6980,7 +6980,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -6992,7 +6992,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -7004,7 +7004,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -7016,7 +7016,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -7029,7 +7029,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -7048,7 +7048,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -7060,7 +7060,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -7075,7 +7075,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -7089,7 +7089,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -7103,7 +7103,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -7115,7 +7115,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -7127,7 +7127,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7141,7 +7141,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7162,7 +7162,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7176,7 +7176,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7199,7 +7199,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -7224,7 +7224,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python event.category: "process" and host.os.type:windows and @@ -7248,7 +7248,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7263,7 +7263,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7277,7 +7277,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7291,7 +7291,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7305,7 +7305,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 28 Document count: 28 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -7355,7 +7355,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 1 Document count: 1 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -7367,7 +7367,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 2 Document count: 2 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7385,7 +7385,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7402,7 +7402,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -7414,7 +7414,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 2 Document count: 2 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7440,7 +7440,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-557 +Index: geneve-ut-0557 ```python event.category:file and host.os.type:linux and event.type:change and @@ -7462,7 +7462,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7484,7 +7484,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 8 Document count: 8 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python registry where host.os.type == "windows" and event.type == "creation" and @@ -7501,7 +7501,7 @@ registry where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -7515,7 +7515,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 2 Document count: 2 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -7527,7 +7527,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 2 Document count: 2 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7550,7 +7550,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python process where event.module == "cloud_defend" and event.type== "start" and @@ -7563,7 +7563,7 @@ process where event.module == "cloud_defend" and event.type== "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7582,7 +7582,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python sequence by process.entity_id with maxspan=30s @@ -7619,7 +7619,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 1 Document count: 2 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python sequence by process.entity_id with maxspan=10m @@ -7637,7 +7637,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -7649,7 +7649,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -7675,7 +7675,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -7701,7 +7701,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -7725,7 +7725,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 2 Document count: 2 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7739,7 +7739,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 210 Document count: 210 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7758,7 +7758,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -7773,7 +7773,7 @@ not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox- Branch count: 560 Document count: 560 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python process where container.id: "*" and event.type== "start" @@ -7796,7 +7796,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 10 Document count: 10 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7810,7 +7810,7 @@ process.args : "*l*" and process.args_count >= 4 Branch count: 3 Document count: 3 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7827,7 +7827,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -7850,7 +7850,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 2 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python sequence by host.id with maxspan=1s @@ -7877,7 +7877,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 16 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by host.id with maxspan=10s @@ -7894,7 +7894,7 @@ sequence by host.id with maxspan=10s Branch count: 1 Document count: 1 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -7913,7 +7913,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python sequence by process.entity_id @@ -7933,7 +7933,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python sequence by process.entity_id @@ -7952,7 +7952,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python sequence by host.id with maxspan=1m @@ -7972,7 +7972,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python sequence by process.entity_id @@ -7997,7 +7997,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python sequence by process.entity_id @@ -8019,7 +8019,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python network where host.os.type == "linux" and event.type == "start" and @@ -8040,7 +8040,7 @@ event.action in ("connection_attempted", "ipv4_connection_attempt_event") and pr Branch count: 2 Document count: 4 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -8071,7 +8071,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8101,7 +8101,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and @@ -8118,7 +8118,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 3 Document count: 3 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8131,7 +8131,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -8143,7 +8143,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -8155,7 +8155,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 1 Document count: 1 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* @@ -8167,7 +8167,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* Branch count: 1 Document count: 1 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" @@ -8179,7 +8179,7 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and Branch count: 1 Document count: 1 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python configuration where event.dataset == "github.audit" and event.action == "org.add_member" @@ -8191,7 +8191,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.add Branch count: 6 Document count: 6 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -8205,7 +8205,7 @@ event.outcome:success Branch count: 4 Document count: 4 -Index: geneve-ut-611 +Index: geneve-ut-0611 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8218,7 +8218,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -8230,7 +8230,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -8244,7 +8244,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -8256,7 +8256,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-617 +Index: geneve-ut-0617 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -8269,7 +8269,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python event.dataset:okta.system and event.category:authentication and @@ -8282,7 +8282,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 10 Document count: 10 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and @@ -8305,7 +8305,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/ Branch count: 2 Document count: 2 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -8317,7 +8317,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -8329,7 +8329,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -8341,7 +8341,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 6 Document count: 6 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8358,7 +8358,7 @@ not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/op Branch count: 36 Document count: 72 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -8373,7 +8373,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 5 Document count: 5 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and @@ -8392,7 +8392,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 2 Document count: 2 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8406,7 +8406,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8418,7 +8418,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8430,7 +8430,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8448,7 +8448,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -8461,7 +8461,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -8476,7 +8476,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 11 Document count: 11 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python process where host.os.type == "macos" and event.type : "start" and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and @@ -8489,7 +8489,7 @@ process where host.os.type == "macos" and event.type : "start" and process.name Branch count: 32 Document count: 32 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -8518,7 +8518,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python process where host.os.type == "macos" and event.type == "start" and @@ -8538,7 +8538,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8557,7 +8557,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-640 +Index: geneve-ut-0640 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8570,7 +8570,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8586,7 +8586,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8612,7 +8612,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8631,7 +8631,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-644 +Index: geneve-ut-0644 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8659,7 +8659,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8674,7 +8674,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8737,7 +8737,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 14 Document count: 14 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python any where host.os.type == "windows" and @@ -8762,7 +8762,7 @@ any where host.os.type == "windows" and Branch count: 3 Document count: 3 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python registry where host.os.type == "windows" and registry.path : ( @@ -8778,7 +8778,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-650 +Index: geneve-ut-0650 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -8796,7 +8796,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -8808,7 +8808,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 16 Document count: 16 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8825,7 +8825,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -8840,7 +8840,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 16 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python sequence by host.id, process.parent.entity_id with maxspan=5m @@ -8857,7 +8857,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python process where host.os.type == "linux" and event.type == "start" and @@ -8877,7 +8877,7 @@ event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "p Branch count: 2 Document count: 6 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python sequence by host.id, user.name with maxspan = 5s @@ -8906,7 +8906,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8919,7 +8919,7 @@ event.type == "change" and file.name : "notify_on_release" Branch count: 1 Document count: 1 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8932,7 +8932,7 @@ event.type == "change" and file.name : "release_agent" Branch count: 63 Document count: 63 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python process where event.type in ("start", "process_started", "info") and @@ -8956,7 +8956,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 12 Document count: 12 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python any where event.action : ("Directory Service Access", "object-operation-performed") and @@ -8991,7 +8991,7 @@ any where event.action : ("Directory Service Access", "object-operation-performe Branch count: 1 Document count: 1 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9009,7 +9009,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9032,7 +9032,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -9086,7 +9086,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python sequence by process.entity_id with maxspan=1m @@ -9104,7 +9104,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python sequence by process.entity_id @@ -9119,7 +9119,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python any where processor.name == "transaction" and @@ -9133,7 +9133,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9154,7 +9154,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9175,7 +9175,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -9200,7 +9200,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-684 +Index: geneve-ut-0684 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9213,7 +9213,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python file where host.os.type == "linux" and event.type != "deletion" and file.path == "/etc/doas.conf" @@ -9225,7 +9225,7 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path == Branch count: 2 Document count: 2 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9238,7 +9238,7 @@ process.parent.name == "proot" Branch count: 12 Document count: 12 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9256,7 +9256,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-688 +Index: geneve-ut-0688 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9269,7 +9269,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 4 -Index: geneve-ut-689 +Index: geneve-ut-0689 ```python sequence by process.entity_id with maxspan=3m @@ -9293,7 +9293,7 @@ sequence by process.entity_id with maxspan=3m Branch count: 42 Document count: 42 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python process where event.type == "start" and host.os.type == "windows" and @@ -9309,7 +9309,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-691 +Index: geneve-ut-0691 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9334,7 +9334,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and @@ -9347,7 +9347,7 @@ process.parent.args == "/etc/rc.local" and process.parent.args == "start" Branch count: 1 Document count: 4 -Index: geneve-ut-694 +Index: geneve-ut-0694 ```python sequence by host.id, user.id with maxspan=1s @@ -9369,7 +9369,7 @@ sequence by host.id, user.id with maxspan=1s Branch count: 204 Document count: 204 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9387,7 +9387,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-698 +Index: geneve-ut-0698 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9400,7 +9400,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9413,7 +9413,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9426,7 +9426,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9441,7 +9441,7 @@ not process.parent.command_line like "/opt/cloudlinux/*" Branch count: 60 Document count: 120 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python sequence by host.id with maxspan=1m @@ -9477,7 +9477,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python event.category:process and host.os.type:macos and event.type:start and @@ -9490,7 +9490,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9508,7 +9508,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -9522,7 +9522,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-710 +Index: geneve-ut-0710 ```python sequence by host.id with maxspan=30s @@ -9541,7 +9541,7 @@ sequence by host.id with maxspan=30s Branch count: 4 Document count: 4 -Index: geneve-ut-711 +Index: geneve-ut-0711 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9554,7 +9554,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 3 Document count: 6 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python sequence by host.id, process.parent.name with maxspan=1m @@ -9570,7 +9570,7 @@ sequence by host.id, process.parent.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9583,7 +9583,7 @@ process.name == "unshadow" and process.args_count >= 3 Branch count: 168 Document count: 168 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9613,7 +9613,7 @@ process.name in~ ( Branch count: 1 Document count: 10 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -9631,7 +9631,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 458 Document count: 458 -Index: geneve-ut-717 +Index: geneve-ut-0717 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9659,7 +9659,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9678,7 +9678,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python process where host.os.type == "windows" and @@ -9816,7 +9816,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python process where host.os.type == "windows" and @@ -9887,7 +9887,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python library where host.os.type == "windows" and event.action == "load" and @@ -9904,7 +9904,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 14 Document count: 14 -Index: geneve-ut-725 +Index: geneve-ut-0725 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9930,7 +9930,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-727 +Index: geneve-ut-0727 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -9942,7 +9942,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9983,7 +9983,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( @@ -9997,7 +9997,7 @@ network where process.name : ("http", "https") and destination.port not in (80, Branch count: 4 Document count: 8 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python sequence by process.entity_id with maxspan=1m @@ -10025,7 +10025,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -10066,7 +10066,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 2 Document count: 2 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python network where host.os.type == "windows" and @@ -10092,7 +10092,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10105,7 +10105,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 85 Document count: 85 -Index: geneve-ut-740 +Index: geneve-ut-0740 ```python file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and @@ -10175,7 +10175,7 @@ file.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10189,7 +10189,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-742 +Index: geneve-ut-0742 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10202,7 +10202,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10226,7 +10226,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-744 +Index: geneve-ut-0744 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10246,7 +10246,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 45 Document count: 45 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python host.os.type:windows and event.category:process and @@ -10283,7 +10283,7 @@ host.os.type:windows and event.category:process and Branch count: 696 Document count: 696 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python event.category:process and host.os.type:windows and @@ -10476,7 +10476,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -10492,7 +10492,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-750 +Index: geneve-ut-0750 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -10506,7 +10506,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-751 +Index: geneve-ut-0751 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10523,7 +10523,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-752 +Index: geneve-ut-0752 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -10537,7 +10537,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-753 +Index: geneve-ut-0753 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -10553,7 +10553,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-757 +Index: geneve-ut-0757 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -10569,7 +10569,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -10581,7 +10581,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -10597,7 +10597,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python sequence by host.id with maxspan=1m @@ -10617,7 +10617,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -10629,7 +10629,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python iam where event.action == "renamed-user-account" and @@ -10643,7 +10643,7 @@ iam where event.action == "renamed-user-account" and Branch count: 18 Document count: 18 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python process where host.os.type == "windows" and event.action == "start" and @@ -10666,7 +10666,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python sequence by host.id, process.entity_id with maxspan=3s @@ -10687,7 +10687,7 @@ sequence by host.id, process.entity_id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python process where host.os.type == "linux" and event.type == "start" and @@ -10700,7 +10700,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-775 +Index: geneve-ut-0775 ```python file where host.os.type == "windows" and @@ -10715,7 +10715,7 @@ file where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python /* Identifies the modification of RDP Shadow registry or @@ -10743,7 +10743,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-777 +Index: geneve-ut-0777 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10758,7 +10758,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python sequence with maxspan=1m @@ -10800,7 +10800,7 @@ sequence with maxspan=1m Branch count: 864 Document count: 1728 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python sequence by host.id with maxspan=5s @@ -10820,7 +10820,7 @@ sequence by host.id with maxspan=5s Branch count: 80 Document count: 80 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python process where event.type in ("start", "process_started") and @@ -10841,7 +10841,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 32 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10855,7 +10855,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 432 Document count: 864 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -10875,7 +10875,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 288 Document count: 576 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python sequence by host.id with maxspan=5s @@ -10904,7 +10904,7 @@ sequence by host.id with maxspan=5s Branch count: 40 Document count: 40 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10920,7 +10920,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-789 +Index: geneve-ut-0789 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -10932,7 +10932,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 2 Document count: 2 -Index: geneve-ut-790 +Index: geneve-ut-0790 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -10946,7 +10946,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 32 Document count: 96 -Index: geneve-ut-792 +Index: geneve-ut-0792 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -10974,7 +10974,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-793 +Index: geneve-ut-0793 ```python sequence by host.id with maxspan=1s @@ -10996,7 +10996,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 8 -Index: geneve-ut-797 +Index: geneve-ut-0797 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -11025,7 +11025,7 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( Branch count: 4 Document count: 4 -Index: geneve-ut-798 +Index: geneve-ut-0798 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11038,7 +11038,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-799 +Index: geneve-ut-0799 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -11054,7 +11054,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-800 +Index: geneve-ut-0800 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -11068,7 +11068,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-801 +Index: geneve-ut-0801 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -11098,7 +11098,7 @@ file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-802 +Index: geneve-ut-0802 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11111,7 +11111,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-803 +Index: geneve-ut-0803 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -11127,7 +11127,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-804 +Index: geneve-ut-0804 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11144,7 +11144,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-805 +Index: geneve-ut-0805 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -11157,7 +11157,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 2 Document count: 2 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and @@ -11171,7 +11171,7 @@ process.executable : "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*" a Branch count: 8 Document count: 16 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -11187,7 +11187,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-812 +Index: geneve-ut-0812 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11204,7 +11204,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 16 -Index: geneve-ut-813 +Index: geneve-ut-0813 ```python sequence by okta.actor.id with maxspan=10m @@ -11224,7 +11224,7 @@ sequence by okta.actor.id with maxspan=10m Branch count: 72 Document count: 72 -Index: geneve-ut-814 +Index: geneve-ut-0814 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11240,7 +11240,7 @@ process.parent.name in ("screen", "tmux") and process.name like ( Branch count: 21 Document count: 21 -Index: geneve-ut-815 +Index: geneve-ut-0815 ```python event.category:process and host.os.type:windows and @@ -11265,7 +11265,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-817 +Index: geneve-ut-0817 ```python event.category:process and host.os.type:windows and @@ -11284,7 +11284,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-819 +Index: geneve-ut-0819 ```python event.category:process and host.os.type:windows and @@ -11307,7 +11307,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -11319,7 +11319,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python event.category:process and host.os.type:windows and @@ -11343,7 +11343,7 @@ event.category:process and host.os.type:windows and Branch count: 6 Document count: 6 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11360,7 +11360,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 80 Document count: 80 -Index: geneve-ut-839 +Index: geneve-ut-0839 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "lp" and @@ -11380,7 +11380,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 4 Document count: 8 -Index: geneve-ut-842 +Index: geneve-ut-0842 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -11413,7 +11413,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 2 Document count: 4 -Index: geneve-ut-843 +Index: geneve-ut-0843 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=1m @@ -11430,7 +11430,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=1m Branch count: 4 Document count: 4 -Index: geneve-ut-844 +Index: geneve-ut-0844 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11444,7 +11444,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-845 +Index: geneve-ut-0845 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -11458,7 +11458,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-846 +Index: geneve-ut-0846 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -11471,7 +11471,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 426 Document count: 426 -Index: geneve-ut-847 +Index: geneve-ut-0847 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -11514,7 +11514,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 20 Document count: 20 -Index: geneve-ut-848 +Index: geneve-ut-0848 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11540,7 +11540,7 @@ registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-849 +Index: geneve-ut-0849 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -11557,7 +11557,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-852 +Index: geneve-ut-0852 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11571,7 +11571,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-853 +Index: geneve-ut-0853 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11585,7 +11585,7 @@ user.id != "0" Branch count: 2 Document count: 2 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11602,7 +11602,7 @@ process.name == "setcap" and not ( Branch count: 96 Document count: 96 -Index: geneve-ut-856 +Index: geneve-ut-0856 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -11677,7 +11677,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-857 +Index: geneve-ut-0857 ```python sequence by winlog.computer_name with maxspan=1m @@ -11698,7 +11698,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11717,7 +11717,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-859 +Index: geneve-ut-0859 ```python process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( @@ -11732,7 +11732,7 @@ not process.parent.name in ("amazon-ssm-agent", "snap") Branch count: 66 Document count: 66 -Index: geneve-ut-860 +Index: geneve-ut-0860 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11785,7 +11785,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-861 +Index: geneve-ut-0861 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11797,7 +11797,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-862 +Index: geneve-ut-0862 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11809,7 +11809,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-863 +Index: geneve-ut-0863 ```python process where host.os.type == "windows" and process.name: "MSBuild.exe" and @@ -11822,7 +11822,7 @@ process where host.os.type == "windows" and process.name: "MSBuild.exe" and Branch count: 114 Document count: 114 -Index: geneve-ut-864 +Index: geneve-ut-0864 ```python process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and @@ -11865,7 +11865,7 @@ not ( Branch count: 72 Document count: 144 -Index: geneve-ut-866 +Index: geneve-ut-0866 ```python sequence by host.id with maxspan=5s @@ -11913,7 +11913,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 4 -Index: geneve-ut-867 +Index: geneve-ut-0867 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -11926,7 +11926,7 @@ process.name : "* " Branch count: 1 Document count: 1 -Index: geneve-ut-868 +Index: geneve-ut-0868 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11948,7 +11948,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-869 +Index: geneve-ut-0869 ```python process where event.action == "exec" and host.os.type == "macos" and @@ -11968,7 +11968,7 @@ process where event.action == "exec" and host.os.type == "macos" and Branch count: 4 Document count: 4 -Index: geneve-ut-870 +Index: geneve-ut-0870 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11981,7 +11981,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-871 +Index: geneve-ut-0871 ```python sequence by process.entity_id @@ -12005,7 +12005,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-872 +Index: geneve-ut-0872 ```python file where event.action == "extended_attributes_delete" and host.os.type == "macos" and process.executable != null and @@ -12024,7 +12024,7 @@ file.path : "/private/var/folders/*" Branch count: 6 Document count: 6 -Index: geneve-ut-875 +Index: geneve-ut-0875 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12048,7 +12048,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 8 -Index: geneve-ut-876 +Index: geneve-ut-0876 ```python sequence by process.entity_id with maxspan=1m @@ -12063,7 +12063,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-880 +Index: geneve-ut-0880 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -12075,7 +12075,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-881 +Index: geneve-ut-0881 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -12087,7 +12087,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 3 Document count: 3 -Index: geneve-ut-887 +Index: geneve-ut-0887 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12104,7 +12104,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-888 +Index: geneve-ut-0888 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12134,7 +12134,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 18 Document count: 18 -Index: geneve-ut-890 +Index: geneve-ut-0890 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12149,7 +12149,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 13 Document count: 13 -Index: geneve-ut-892 +Index: geneve-ut-0892 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12166,7 +12166,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-893 +Index: geneve-ut-0893 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -12189,7 +12189,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-894 +Index: geneve-ut-0894 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12203,7 +12203,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-895 +Index: geneve-ut-0895 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12217,7 +12217,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-896 +Index: geneve-ut-0896 ```python sequence by process.entity_id with maxspan=30s @@ -12241,7 +12241,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-897 +Index: geneve-ut-0897 ```python sequence by host.id, process.entity_id @@ -12257,7 +12257,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-898 +Index: geneve-ut-0898 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12272,7 +12272,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-899 +Index: geneve-ut-0899 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -12292,7 +12292,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 1 Document count: 1 -Index: geneve-ut-900 +Index: geneve-ut-0900 ```python iam where event.action == "scheduled-task-created" and @@ -12305,7 +12305,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 2 -Index: geneve-ut-902 +Index: geneve-ut-0902 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -12347,7 +12347,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-903 +Index: geneve-ut-0903 ```python sequence with maxspan=1m @@ -12370,7 +12370,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-904 +Index: geneve-ut-0904 ```python sequence with maxspan=1s @@ -12418,7 +12418,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-905 +Index: geneve-ut-0905 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12431,7 +12431,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-907 +Index: geneve-ut-0907 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12451,7 +12451,7 @@ process.name in ("update-ca-trust", "update-ca-certificates") and not ( Branch count: 2 Document count: 4 -Index: geneve-ut-908 +Index: geneve-ut-0908 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=30s @@ -12468,7 +12468,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=30s Branch count: 48 Document count: 48 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python (event.dataset: (network_traffic.http or network_traffic.tls) or @@ -12515,7 +12515,7 @@ Index: geneve-ut-909 Branch count: 1 Document count: 1 -Index: geneve-ut-910 +Index: geneve-ut-0910 ```python event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com @@ -12528,7 +12528,7 @@ event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com Branch count: 4 Document count: 4 -Index: geneve-ut-911 +Index: geneve-ut-0911 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") @@ -12541,7 +12541,7 @@ and file.path : "/etc/selinux/config" Branch count: 32 Document count: 32 -Index: geneve-ut-912 +Index: geneve-ut-0912 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and @@ -12562,7 +12562,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-915 +Index: geneve-ut-0915 ```python (event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 @@ -12574,7 +12574,7 @@ Index: geneve-ut-915 Branch count: 6 Document count: 6 -Index: geneve-ut-917 +Index: geneve-ut-0917 ```python file where container.id:"*" and @@ -12587,7 +12587,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python process where container.id: "*" and event.type == "start" and @@ -12608,7 +12608,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-919 +Index: geneve-ut-0919 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and @@ -12622,7 +12622,7 @@ not file.name : "known_hosts.*" Branch count: 6 Document count: 6 -Index: geneve-ut-920 +Index: geneve-ut-0920 ```python process where container.id: "*" and event.type== "start" and @@ -12636,7 +12636,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 2 Document count: 2 -Index: geneve-ut-921 +Index: geneve-ut-0921 ```python file where host.os.type == "linux" and event.type == "deletion" and file.path : "/etc/ssl/certs/*" and @@ -12649,7 +12649,7 @@ file.extension in ("pem", "crt") and not process.name in ("dockerd", "pacman") Branch count: 36 Document count: 36 -Index: geneve-ut-924 +Index: geneve-ut-0924 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12667,7 +12667,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-926 +Index: geneve-ut-0926 ```python sequence by host.id with maxspan = 30s @@ -12688,7 +12688,7 @@ sequence by host.id with maxspan = 30s Branch count: 6 Document count: 6 -Index: geneve-ut-928 +Index: geneve-ut-0928 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12705,7 +12705,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-929 +Index: geneve-ut-0929 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12720,7 +12720,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 27 Document count: 27 -Index: geneve-ut-930 +Index: geneve-ut-0930 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -12761,7 +12761,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-932 +Index: geneve-ut-0932 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -12795,7 +12795,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-933 +Index: geneve-ut-0933 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12809,7 +12809,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 112 Document count: 112 -Index: geneve-ut-934 +Index: geneve-ut-0934 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12829,7 +12829,7 @@ process.args like ( Branch count: 2 Document count: 2 -Index: geneve-ut-935 +Index: geneve-ut-0935 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12843,7 +12843,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 116 Document count: 116 -Index: geneve-ut-936 +Index: geneve-ut-0936 ```python process where event.type == "start" and @@ -12904,7 +12904,7 @@ process.name : "grep" and user.id != "0" and Branch count: 270 Document count: 270 -Index: geneve-ut-939 +Index: geneve-ut-0939 ```python process where container.id: "*" and event.type== "start" and @@ -12947,7 +12947,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-940 +Index: geneve-ut-0940 ```python process where container.id: "*" and event.type== "start" and @@ -12971,7 +12971,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-941 +Index: geneve-ut-0941 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -12984,7 +12984,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 6 Document count: 6 -Index: geneve-ut-942 +Index: geneve-ut-0942 ```python file where host.os.type == "windows" and @@ -13005,7 +13005,7 @@ file where host.os.type == "windows" and Branch count: 16 Document count: 32 -Index: geneve-ut-943 +Index: geneve-ut-0943 ```python sequence by process.entity_id with maxspan = 1m @@ -13022,7 +13022,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-944 +Index: geneve-ut-0944 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -13042,7 +13042,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-945 +Index: geneve-ut-0945 ```python sequence by winlog.computer_name with maxspan=5m @@ -13066,7 +13066,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-946 +Index: geneve-ut-0946 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13081,7 +13081,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-947 +Index: geneve-ut-0947 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13102,7 +13102,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-948 +Index: geneve-ut-0948 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13125,7 +13125,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-949 +Index: geneve-ut-0949 ```python process where event.type == "start" and process.name : "sc.exe" and @@ -13138,7 +13138,7 @@ process where event.type == "start" and process.name : "sc.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-950 +Index: geneve-ut-0950 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -13154,7 +13154,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-951 +Index: geneve-ut-0951 ```python file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and @@ -13167,7 +13167,7 @@ file.path == "/etc/shadow" and file.Ext.original.path != null Branch count: 1 Document count: 1 -Index: geneve-ut-952 +Index: geneve-ut-0952 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -13179,7 +13179,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 264 Document count: 264 -Index: geneve-ut-954 +Index: geneve-ut-0954 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( @@ -13227,7 +13227,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an Branch count: 72 Document count: 144 -Index: geneve-ut-955 +Index: geneve-ut-0955 ```python sequence by host.id with maxspan=5s @@ -13241,7 +13241,7 @@ sequence by host.id with maxspan=5s Branch count: 162 Document count: 162 -Index: geneve-ut-956 +Index: geneve-ut-0956 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -13263,7 +13263,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-957 +Index: geneve-ut-0957 ```python process where host.os.type == "windows" and event.type == "start" @@ -13277,7 +13277,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 4 Document count: 4 -Index: geneve-ut-958 +Index: geneve-ut-0958 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13291,7 +13291,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 42 Document count: 42 -Index: geneve-ut-959 +Index: geneve-ut-0959 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Start" and @@ -13318,7 +13318,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 12 Document count: 24 -Index: geneve-ut-973 +Index: geneve-ut-0973 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -13343,7 +13343,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-974 +Index: geneve-ut-0974 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13376,7 +13376,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-977 +Index: geneve-ut-0977 ```python beacon_stats.is_beaconing: true and @@ -13394,7 +13394,7 @@ not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or " Branch count: 1 Document count: 1 -Index: geneve-ut-978 +Index: geneve-ut-0978 ```python beacon_stats.beaconing_score: 3 @@ -13406,7 +13406,7 @@ beacon_stats.beaconing_score: 3 Branch count: 2 Document count: 6 -Index: geneve-ut-979 +Index: geneve-ut-0979 ```python sequence by user.name with maxspan=12h @@ -13421,7 +13421,7 @@ sequence by user.name with maxspan=12h Branch count: 4 Document count: 4 -Index: geneve-ut-980 +Index: geneve-ut-0980 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -13446,7 +13446,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-982 +Index: geneve-ut-0982 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13461,7 +13461,7 @@ not process.args == "dpkg" Branch count: 16 Document count: 16 -Index: geneve-ut-985 +Index: geneve-ut-0985 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13475,7 +13475,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-986 +Index: geneve-ut-0986 ```python event.category:process and host.os.type:windows and @@ -13506,7 +13506,7 @@ event.category:process and host.os.type:windows and Branch count: 16 Document count: 16 -Index: geneve-ut-987 +Index: geneve-ut-0987 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13521,7 +13521,7 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en Branch count: 152 Document count: 304 -Index: geneve-ut-988 +Index: geneve-ut-0988 ```python sequence by host.id with maxspan=5s @@ -13543,7 +13543,7 @@ sequence by host.id with maxspan=5s Branch count: 8 Document count: 16 -Index: geneve-ut-989 +Index: geneve-ut-0989 ```python sequence by host.id with maxspan=5s @@ -13570,7 +13570,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-991 +Index: geneve-ut-0991 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -13582,7 +13582,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 4 Document count: 4 -Index: geneve-ut-992 +Index: geneve-ut-0992 ```python file where host.os.type == "windows" and event.type != "deletion" and file.path != null and @@ -13614,7 +13614,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path Branch count: 2 Document count: 4 -Index: geneve-ut-993 +Index: geneve-ut-0993 ```python sequence by host.id with maxspan=30s @@ -13628,7 +13628,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-994 +Index: geneve-ut-0994 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13660,7 +13660,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-995 +Index: geneve-ut-0995 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -13684,7 +13684,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-996 +Index: geneve-ut-0996 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13698,7 +13698,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-997 +Index: geneve-ut-0997 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13721,7 +13721,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-998 +Index: geneve-ut-0998 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13735,7 +13735,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 60 Document count: 60 -Index: geneve-ut-999 +Index: geneve-ut-0999 ```python process where host.os.type == "windows" and event.type == "start" and diff --git a/tests/reports/alerts_from_rules-8.14.md b/tests/reports/alerts_from_rules-8.14.md index d3ef8364..7492f17e 100644 --- a/tests/reports/alerts_from_rules-8.14.md +++ b/tests/reports/alerts_from_rules-8.14.md @@ -19,7 +19,7 @@ Rules version: 8.14.16 Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python sequence by host.id, user.id with maxspan=1m @@ -44,7 +44,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -63,7 +63,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -82,7 +82,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -142,7 +142,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -159,7 +159,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 8748 Document count: 17496 -Index: geneve-ut-892 +Index: geneve-ut-0892 ```python sequence with maxspan=1m @@ -264,7 +264,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -277,7 +277,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -290,7 +290,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4 Document count: 8 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -310,7 +310,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 Failure message(s): got 1000 signals, expected 4608 @@ -337,7 +337,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 Failure message(s): got 1000 signals, expected 1024 @@ -358,7 +358,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 Failure message(s): got 1000 signals, expected 1024 @@ -379,7 +379,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 6 Document count: 12 -Index: geneve-ut-754 +Index: geneve-ut-0754 Failure message(s): got 5 signals, expected 6 @@ -396,7 +396,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 Failure message(s): got 1000 signals, expected 1794 @@ -458,7 +458,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 Failure message(s): got 1000 signals, expected 2048 @@ -477,7 +477,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 32 Document count: 64 -Index: geneve-ut-841 +Index: geneve-ut-0841 Failure message(s): got 24 signals, expected 32 @@ -502,7 +502,7 @@ sequence by host.id, process.pid with maxspan=1s Branch count: 8748 Document count: 17496 -Index: geneve-ut-892 +Index: geneve-ut-0892 Failure message(s): got 1000 signals, expected 8748 @@ -632,7 +632,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -659,7 +659,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -689,7 +689,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 8 Document count: 8 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -725,7 +725,7 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -737,7 +737,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail @@ -752,7 +752,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -764,7 +764,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -776,7 +776,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -788,7 +788,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -800,7 +800,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -812,7 +812,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -827,7 +827,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -839,7 +839,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python process where event.module == "cloud_defend" and @@ -856,7 +856,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -869,7 +869,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -881,7 +881,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -895,7 +895,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset: aws.cloudtrail @@ -910,7 +910,7 @@ event.dataset: aws.cloudtrail Branch count: 2 Document count: 2 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -922,7 +922,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -934,7 +934,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 6 Document count: 6 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset: "aws.cloudtrail" @@ -955,7 +955,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -967,7 +967,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -979,7 +979,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-033 +Index: geneve-ut-0033 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -992,7 +992,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -1005,7 +1005,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -1019,7 +1019,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -1032,7 +1032,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -1044,7 +1044,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -1056,7 +1056,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -1068,7 +1068,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -1080,7 +1080,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -1092,7 +1092,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" @@ -1105,7 +1105,7 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -1117,7 +1117,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail @@ -1132,7 +1132,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset: aws.cloudtrail @@ -1148,7 +1148,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail @@ -1163,7 +1163,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -1175,7 +1175,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -1187,7 +1187,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-057 +Index: geneve-ut-0057 ```python event.dataset: "aws.cloudtrail" @@ -1202,7 +1202,7 @@ event.dataset: "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python event.dataset: aws.cloudtrail @@ -1217,7 +1217,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -1229,7 +1229,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -1241,7 +1241,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python any where event.dataset == "aws.cloudtrail" @@ -1256,7 +1256,7 @@ any where event.dataset == "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" @@ -1269,7 +1269,7 @@ event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -1281,7 +1281,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -1293,7 +1293,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -1305,7 +1305,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -1317,7 +1317,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -1329,7 +1329,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -1341,7 +1341,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-076 +Index: geneve-ut-0076 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -1356,7 +1356,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-077 +Index: geneve-ut-0077 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -1368,7 +1368,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-078 +Index: geneve-ut-0078 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -1380,7 +1380,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-079 +Index: geneve-ut-0079 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1393,7 +1393,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1406,7 +1406,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1419,7 +1419,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1434,7 +1434,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1447,7 +1447,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1459,7 +1459,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1471,7 +1471,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1483,7 +1483,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1499,7 +1499,7 @@ Index: geneve-ut-108 Branch count: 4 Document count: 4 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python process where host.os.type == "linux" and event.type == "start" and @@ -1516,7 +1516,7 @@ process.name == "setfacl" and not ( Branch count: 12 Document count: 12 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1561,7 +1561,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 8 Document count: 8 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and @@ -1596,7 +1596,7 @@ any where event.action in ("Directory Service Access", "object-operation-perform Branch count: 4 Document count: 4 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1613,7 +1613,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1633,7 +1633,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python sequence by winlog.computer_name with maxspan=1m @@ -1661,7 +1661,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 48 Document count: 48 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -1679,7 +1679,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 1 Document count: 1 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python iam where winlog.api == "wineventlog" and event.code == "4728" and @@ -1695,7 +1695,7 @@ not group.id : "S-1-5-21-*-513" Branch count: 36 Document count: 36 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1715,7 +1715,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1729,7 +1729,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and @@ -1742,7 +1742,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 1 Document count: 1 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1754,7 +1754,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1766,7 +1766,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1781,7 +1781,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1793,7 +1793,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.agent_id_status:(agent_id_mismatch or mismatch) @@ -1805,7 +1805,7 @@ event.agent_id_status:(agent_id_mismatch or mismatch) Branch count: 1 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1824,7 +1824,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1840,7 +1840,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1852,7 +1852,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1867,7 +1867,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 8 Document count: 8 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python file where host.os.type == "linux" and @@ -1897,7 +1897,7 @@ event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/* Branch count: 1 Document count: 1 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1909,7 +1909,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 4 Document count: 4 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -1922,7 +1922,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1934,7 +1934,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1946,7 +1946,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1958,7 +1958,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1970,7 +1970,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1982,7 +1982,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1994,7 +1994,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.dataset:okta.system and event.action:zone.delete @@ -2006,7 +2006,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -2018,7 +2018,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -2030,7 +2030,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 20 Document count: 20 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -2047,7 +2047,7 @@ process.args in ("auditd", "auditd.service") Branch count: 2 Document count: 2 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2060,7 +2060,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 74 Document count: 74 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2088,7 +2088,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2104,7 +2104,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2117,7 +2117,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2131,7 +2131,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 10 Document count: 10 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2154,7 +2154,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2169,7 +2169,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -2181,7 +2181,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -2193,7 +2193,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -2205,7 +2205,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -2217,7 +2217,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -2236,7 +2236,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -2248,7 +2248,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -2260,7 +2260,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2273,7 +2273,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -2285,7 +2285,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 3 Document count: 3 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2315,7 +2315,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -2330,7 +2330,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2344,7 +2344,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python event.dataset:azure.signinlogs and @@ -2358,7 +2358,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python event.dataset:azure.signinlogs and @@ -2371,7 +2371,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.dataset:azure.signinlogs and @@ -2385,7 +2385,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -2398,7 +2398,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -2410,7 +2410,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -2422,7 +2422,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python event.dataset:azure.activitylogs and @@ -2441,7 +2441,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python event.dataset:azure.activitylogs and @@ -2455,7 +2455,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python event.dataset:azure.activitylogs and @@ -2473,7 +2473,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2485,7 +2485,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2500,7 +2500,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2512,7 +2512,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2525,7 +2525,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2537,7 +2537,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2549,7 +2549,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2561,7 +2561,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -2573,7 +2573,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 2 Document count: 2 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2585,7 +2585,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2597,7 +2597,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2615,7 +2615,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2631,7 +2631,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2643,7 +2643,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2656,7 +2656,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2669,7 +2669,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2684,7 +2684,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2696,7 +2696,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2708,7 +2708,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2720,7 +2720,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2732,7 +2732,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2744,7 +2744,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2756,7 +2756,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2774,7 +2774,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and @@ -2788,7 +2788,7 @@ not process.parent.executable == "/usr/sbin/libvirtd" Branch count: 16 Document count: 16 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -2802,7 +2802,7 @@ not process.args in ("--help", "--version") Branch count: 9 Document count: 9 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python event.category:file and event.type:change and @@ -2827,7 +2827,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2842,7 +2842,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2857,7 +2857,7 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ Branch count: 13 Document count: 13 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2879,7 +2879,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python file where host.os.type == "windows" and event.type : "creation" and @@ -2908,7 +2908,7 @@ file where host.os.type == "windows" and event.type : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2929,7 +2929,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2949,7 +2949,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 36 Document count: 36 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2970,7 +2970,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2995,7 +2995,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3009,7 +3009,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3027,7 +3027,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -3047,7 +3047,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python sequence by process.entity_id @@ -3070,7 +3070,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3087,7 +3087,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3149,7 +3149,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python library where host.os.type == "windows" and event.action == "load" and @@ -3179,7 +3179,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 24 Document count: 24 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3204,7 +3204,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python sequence by process.entity_id @@ -3225,7 +3225,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python sequence by process.entity_id @@ -3246,7 +3246,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python process where container.id: "*" and event.type== "start" @@ -3259,7 +3259,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python event.kind:alert and event.module:cloud_defend @@ -3271,7 +3271,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 12 Document count: 12 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3294,7 +3294,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3314,7 +3314,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -3327,7 +3327,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and @@ -3340,7 +3340,7 @@ not process.name == "dockerd" Branch count: 2 Document count: 2 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and @@ -3355,7 +3355,7 @@ file.extension == "ko" and not process.name : ( Branch count: 1 Document count: 1 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -3372,7 +3372,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -3386,7 +3386,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 3 Document count: 3 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3403,7 +3403,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -3415,7 +3415,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 12 Document count: 12 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Blob" and @@ -3464,7 +3464,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and @@ -3482,7 +3482,7 @@ file where host.os.type == "windows" and event.type != "deletion" and event.acti Branch count: 8 Document count: 8 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3497,7 +3497,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3509,7 +3509,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3521,7 +3521,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3533,7 +3533,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3545,7 +3545,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 80 Document count: 80 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python file where host.os.type == "linux" and @@ -3587,7 +3587,7 @@ event.action in ("rename", "creation") and file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3607,7 +3607,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 128 Document count: 128 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3629,7 +3629,7 @@ process.name == "curl" and ( Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -3641,7 +3641,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python event.dataset:cyberarkpas.audit and @@ -3656,7 +3656,7 @@ event.dataset:cyberarkpas.audit and Branch count: 16 Document count: 16 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -3687,7 +3687,7 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* Branch count: 3 Document count: 3 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3703,7 +3703,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 5 Document count: 5 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3721,7 +3721,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -3736,7 +3736,7 @@ Index: geneve-ut-264 Branch count: 2 Document count: 2 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3750,7 +3750,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3764,7 +3764,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "mkdir" and @@ -3778,7 +3778,7 @@ not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir") Branch count: 12 Document count: 12 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3806,7 +3806,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3823,7 +3823,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3848,7 +3848,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3865,7 +3865,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3880,7 +3880,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3892,7 +3892,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3905,7 +3905,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3917,7 +3917,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 10 Document count: 20 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python sequence by process.entity_id with maxspan=1m @@ -3935,7 +3935,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 24 Document count: 24 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -3970,7 +3970,7 @@ not ( Branch count: 12 Document count: 12 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3985,7 +3985,7 @@ not process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewag Branch count: 108 Document count: 108 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python process where host.os.type == "linux" and event.type == "start" and @@ -4001,7 +4001,7 @@ not process.parent.executable == "/usr/share/qemu/init/qemu-kvm-init" Branch count: 12 Document count: 12 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -4015,7 +4015,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 2 Document count: 2 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -4027,7 +4027,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 1 Document count: 2 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python sequence by host.id with maxspan=3s @@ -4050,7 +4050,7 @@ sequence by host.id with maxspan=3s Branch count: 203 Document count: 203 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python process where @@ -4081,7 +4081,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -4094,7 +4094,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4108,7 +4108,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python registry where host.os.type == "windows" and @@ -4122,7 +4122,7 @@ registry where host.os.type == "windows" and Branch count: 16 Document count: 16 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4157,7 +4157,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -4169,7 +4169,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 3 Document count: 3 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python event.dataset:(azure.activitylogs or azure.signinlogs) @@ -4186,7 +4186,7 @@ event.dataset:(azure.activitylogs or azure.signinlogs) Branch count: 2 Document count: 2 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4200,7 +4200,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4219,7 +4219,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4246,7 +4246,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 276 Document count: 276 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -4277,7 +4277,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python event.category:process and host.os.type:windows and @@ -4290,7 +4290,7 @@ event.category:process and host.os.type:windows and Branch count: 378 Document count: 378 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4319,7 +4319,7 @@ process.args : ( Branch count: 64 Document count: 64 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -4347,7 +4347,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4360,7 +4360,7 @@ process.name : ("kworker*", "kthread*") and process.executable != null Branch count: 4 Document count: 8 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python sequence by process.entity_id with maxspan=5m @@ -4380,7 +4380,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 4 Document count: 4 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4404,7 +4404,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 72 Document count: 144 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python sequence with maxspan=2h @@ -4430,7 +4430,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python sequence with maxspan=2h @@ -4455,7 +4455,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -4484,7 +4484,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -4496,7 +4496,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -4519,7 +4519,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python sequence by user.id with maxspan=5s @@ -4534,7 +4534,7 @@ sequence by user.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -4546,7 +4546,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 6 Document count: 6 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4566,7 +4566,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python process where host.os.type == "windows" and event.type : "start" and @@ -4600,7 +4600,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -4612,7 +4612,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4626,7 +4626,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -4639,7 +4639,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4651,7 +4651,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4663,7 +4663,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4677,7 +4677,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -4689,7 +4689,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 1 Document count: 1 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python file where host.os.type == "windows" and event.code : "2" and @@ -4721,7 +4721,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 16 Document count: 32 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python sequence by host.id with maxspan=10s @@ -4738,7 +4738,7 @@ sequence by host.id with maxspan=10s Branch count: 4 Document count: 4 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( @@ -4752,7 +4752,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 20 Document count: 20 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -4768,7 +4768,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -4783,7 +4783,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python process where event.module == "cloud_defend" and @@ -4798,7 +4798,7 @@ process where event.module == "cloud_defend" and Branch count: 375 Document count: 750 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python sequence by process.entity_id @@ -4825,7 +4825,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4846,7 +4846,7 @@ not ( Branch count: 2 Document count: 2 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python process where host.os.type == "linux" and event.type == "start" and process.parent.executable != null and @@ -4865,7 +4865,7 @@ process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and n Branch count: 11 Document count: 11 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4891,7 +4891,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4921,7 +4921,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python event.dataset: google_workspace.alert @@ -4933,7 +4933,7 @@ event.dataset: google_workspace.alert Branch count: 8 Document count: 8 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python registry where host.os.type == "windows" and @@ -4951,7 +4951,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4963,7 +4963,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4975,7 +4975,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4987,7 +4987,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4999,7 +4999,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -5011,7 +5011,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -5023,7 +5023,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -5035,7 +5035,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -5047,7 +5047,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -5059,7 +5059,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -5071,7 +5071,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -5083,7 +5083,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -5095,7 +5095,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -5107,7 +5107,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -5119,7 +5119,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -5131,7 +5131,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -5143,7 +5143,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -5155,7 +5155,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -5167,7 +5167,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -5179,7 +5179,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -5191,7 +5191,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -5203,7 +5203,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -5215,7 +5215,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -5227,7 +5227,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 575 Document count: 575 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ( @@ -5251,7 +5251,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 64 Document count: 128 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python sequence by host.id with maxspan=3s @@ -5269,7 +5269,7 @@ sequence by host.id with maxspan=3s Branch count: 4 Document count: 4 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and @@ -5297,7 +5297,7 @@ file.extension == null and process.executable != null and not ( Branch count: 8 Document count: 16 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python sequence by host.id with maxspan=3s @@ -5322,7 +5322,7 @@ sequence by host.id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" @@ -5334,7 +5334,7 @@ configuration where event.dataset == "github.audit" and github.category == "inte Branch count: 1 Document count: 1 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -5346,7 +5346,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" @@ -5358,7 +5358,7 @@ configuration where event.dataset == "github.audit" and event.action == "persona Branch count: 1 Document count: 1 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python configuration where event.dataset == "github.audit" @@ -5371,7 +5371,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python configuration where event.dataset == "github.audit" and event.action == "repo.create" @@ -5383,7 +5383,7 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr Branch count: 1 Document count: 1 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -5395,7 +5395,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python configuration where event.dataset == "github.audit" and event.action == "org.block_user" @@ -5407,7 +5407,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.blo Branch count: 1 Document count: 1 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -5420,7 +5420,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -5432,7 +5432,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python event.dataset:google_workspace.admin @@ -5448,7 +5448,7 @@ event.dataset:google_workspace.admin Branch count: 1 Document count: 1 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -5461,7 +5461,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -5473,7 +5473,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5486,7 +5486,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -5498,7 +5498,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -5511,7 +5511,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -5528,7 +5528,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -5542,7 +5542,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python sequence by source.user.email with maxspan=3m @@ -5566,7 +5566,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -5587,7 +5587,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5601,7 +5601,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -5613,7 +5613,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -5625,7 +5625,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -5638,7 +5638,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5651,7 +5651,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -5672,7 +5672,7 @@ process.name == "mkdir" and process.parent.executable like ( Branch count: 1 Document count: 1 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags" @@ -5684,7 +5684,7 @@ file where host.os.type == "linux" and event.type == "creation" and process.name Branch count: 1 Document count: 2 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python sequence by process.entity_id with maxspan=5m @@ -5701,7 +5701,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python any where @@ -5730,7 +5730,7 @@ any where Branch count: 12 Document count: 12 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5743,7 +5743,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5758,7 +5758,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -5770,7 +5770,7 @@ Index: geneve-ut-439 Branch count: 8 Document count: 8 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5787,7 +5787,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python sequence with maxspan=1m @@ -5806,7 +5806,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python sequence by host.id with maxspan=1m @@ -5824,7 +5824,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python sequence by host.id with maxspan=5s @@ -5843,7 +5843,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python sequence by host.id with maxspan = 30s @@ -5859,7 +5859,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python sequence by host.id with maxspan=30s @@ -5875,7 +5875,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5888,7 +5888,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python event.dataset: "aws.cloudtrail" @@ -5906,7 +5906,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5919,7 +5919,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -5935,7 +5935,7 @@ sequence by process.entity_id Branch count: 3 Document count: 3 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5958,7 +5958,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5979,7 +5979,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python process where container.id : "*" and event.type== "start" and @@ -6000,7 +6000,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -6013,7 +6013,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6031,7 +6031,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python iam where event.action == "modified-user-account" and event.code == "4738" and @@ -6044,7 +6044,7 @@ iam where event.action == "modified-user-account" and event.code == "4738" and Branch count: 2 Document count: 2 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -6058,7 +6058,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -6117,7 +6117,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -6130,7 +6130,7 @@ auditd.data.syscall in ("init_module", "finit_module") Branch count: 2 Document count: 2 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -6143,7 +6143,7 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" Branch count: 24 Document count: 24 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6157,7 +6157,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" and @@ -6173,7 +6173,7 @@ not process.parent.executable like ( Branch count: 60 Document count: 60 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -6188,7 +6188,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 28 Document count: 28 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python process where host.os.type == "macos" and event.action == "exec" and @@ -6204,7 +6204,7 @@ process where host.os.type == "macos" and event.action == "exec" and Branch count: 1 Document count: 1 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -6216,7 +6216,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python event.dataset:kubernetes.audit_logs @@ -6231,7 +6231,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python event.dataset: "kubernetes.audit_logs" @@ -6245,7 +6245,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python event.dataset : "kubernetes.audit_logs" @@ -6261,7 +6261,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python event.dataset : "kubernetes.audit_logs" @@ -6278,7 +6278,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python event.dataset : "kubernetes.audit_logs" @@ -6295,7 +6295,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python event.dataset : "kubernetes.audit_logs" @@ -6312,7 +6312,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python event.dataset : "kubernetes.audit_logs" @@ -6345,7 +6345,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python event.dataset : "kubernetes.audit_logs" @@ -6362,7 +6362,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python event.dataset : "kubernetes.audit_logs" @@ -6379,7 +6379,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python event.dataset : "kubernetes.audit_logs" @@ -6396,7 +6396,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python event.dataset : "kubernetes.audit_logs" @@ -6412,7 +6412,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -6450,7 +6450,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python any where event.action == "File System" and event.code == "4656" and @@ -6485,7 +6485,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python api where host.os.type == "windows" and @@ -6558,7 +6558,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6576,7 +6576,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python sequence by host.id with maxspan=1m @@ -6592,7 +6592,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python sequence by host.id with maxspan=1m @@ -6606,7 +6606,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6621,7 +6621,7 @@ process.args != "1" Branch count: 609 Document count: 609 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python process where host.os.type == "linux" and event.type == "start" and @@ -6683,7 +6683,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 72 Document count: 72 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6697,7 +6697,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 64 Document count: 64 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -6713,7 +6713,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 240 Document count: 240 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6732,7 +6732,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -6750,7 +6750,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 600 Document count: 1200 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python sequence with maxspan=1m @@ -6775,7 +6775,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -6787,7 +6787,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 64 Document count: 64 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("AccessVBOM", "VbaWarnings") and @@ -6822,7 +6822,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 84 Document count: 168 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python sequence by host.id with maxspan=15s @@ -6836,7 +6836,7 @@ sequence by host.id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com @@ -6848,7 +6848,7 @@ ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.c Branch count: 1 Document count: 1 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com @@ -6860,7 +6860,7 @@ ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmclo Branch count: 2 Document count: 2 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6872,7 +6872,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6884,7 +6884,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python configuration where event.dataset == "github.audit" and event.action == "org.remove_member" @@ -6896,7 +6896,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.rem Branch count: 8 Document count: 8 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -6928,7 +6928,7 @@ file.path : "/etc/update-motd.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -6940,7 +6940,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -6952,7 +6952,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -6964,7 +6964,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -6976,7 +6976,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -6988,7 +6988,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -7000,7 +7000,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -7012,7 +7012,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -7024,7 +7024,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -7036,7 +7036,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -7048,7 +7048,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -7060,7 +7060,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -7073,7 +7073,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -7092,7 +7092,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -7104,7 +7104,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -7119,7 +7119,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -7133,7 +7133,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -7147,7 +7147,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -7159,7 +7159,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -7171,7 +7171,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7185,7 +7185,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7206,7 +7206,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7220,7 +7220,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7253,7 +7253,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -7278,7 +7278,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python event.category: "process" and host.os.type:windows and @@ -7302,7 +7302,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7317,7 +7317,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7331,7 +7331,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7345,7 +7345,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7368,7 +7368,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 28 Document count: 28 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -7418,7 +7418,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 1 Document count: 1 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -7430,7 +7430,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 2 Document count: 2 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7448,7 +7448,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7465,7 +7465,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -7477,7 +7477,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 2 Document count: 2 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7503,7 +7503,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-557 +Index: geneve-ut-0557 ```python event.category:file and host.os.type:linux and event.type:change and @@ -7525,7 +7525,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7547,7 +7547,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 8 Document count: 8 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python registry where host.os.type == "windows" and event.type == "creation" and @@ -7564,7 +7564,7 @@ registry where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -7578,7 +7578,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 2 Document count: 2 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -7590,7 +7590,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 2 Document count: 2 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7613,7 +7613,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python process where event.module == "cloud_defend" and event.type== "start" and @@ -7626,7 +7626,7 @@ process where event.module == "cloud_defend" and event.type== "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7645,7 +7645,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python sequence by process.entity_id with maxspan=30s @@ -7682,7 +7682,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 1 Document count: 2 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python sequence by process.entity_id with maxspan=10m @@ -7700,7 +7700,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -7712,7 +7712,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -7738,7 +7738,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -7764,7 +7764,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -7788,7 +7788,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 2 Document count: 2 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7802,7 +7802,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 210 Document count: 210 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7821,7 +7821,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -7836,7 +7836,7 @@ not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox- Branch count: 560 Document count: 560 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python process where container.id: "*" and event.type== "start" @@ -7859,7 +7859,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 10 Document count: 10 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7873,7 +7873,7 @@ process.args : "*l*" and process.args_count >= 4 Branch count: 3 Document count: 3 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7890,7 +7890,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -7913,7 +7913,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 2 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python sequence by host.id with maxspan=1s @@ -7940,7 +7940,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 16 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by host.id with maxspan=10s @@ -7957,7 +7957,7 @@ sequence by host.id with maxspan=10s Branch count: 1 Document count: 1 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -7976,7 +7976,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python sequence by process.entity_id @@ -7996,7 +7996,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python sequence by process.entity_id @@ -8015,7 +8015,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python sequence by host.id with maxspan=1m @@ -8035,7 +8035,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python sequence by process.entity_id @@ -8060,7 +8060,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python sequence by process.entity_id @@ -8082,7 +8082,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python network where host.os.type == "linux" and event.type == "start" and @@ -8103,7 +8103,7 @@ event.action in ("connection_attempted", "ipv4_connection_attempt_event") and pr Branch count: 2 Document count: 4 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -8134,7 +8134,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8164,7 +8164,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and @@ -8181,7 +8181,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 3 Document count: 3 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8194,7 +8194,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -8206,7 +8206,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -8218,7 +8218,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 1 Document count: 1 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* @@ -8230,7 +8230,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* Branch count: 1 Document count: 1 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" @@ -8242,7 +8242,7 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and Branch count: 1 Document count: 1 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python configuration where event.dataset == "github.audit" and event.action == "org.add_member" @@ -8254,7 +8254,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.add Branch count: 6 Document count: 6 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -8268,7 +8268,7 @@ event.outcome:success Branch count: 4 Document count: 4 -Index: geneve-ut-611 +Index: geneve-ut-0611 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8281,7 +8281,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -8293,7 +8293,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -8307,7 +8307,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -8319,7 +8319,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-617 +Index: geneve-ut-0617 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -8332,7 +8332,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python event.dataset:okta.system and event.category:authentication and @@ -8345,7 +8345,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 10 Document count: 10 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and @@ -8368,7 +8368,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/ Branch count: 2 Document count: 2 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -8380,7 +8380,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -8392,7 +8392,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -8404,7 +8404,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 6 Document count: 6 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8421,7 +8421,7 @@ not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/op Branch count: 36 Document count: 72 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -8436,7 +8436,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 5 Document count: 5 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and @@ -8455,7 +8455,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 2 Document count: 2 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8469,7 +8469,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8481,7 +8481,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8493,7 +8493,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8511,7 +8511,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -8524,7 +8524,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -8539,7 +8539,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 11 Document count: 11 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python process where host.os.type == "macos" and event.type : "start" and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and @@ -8552,7 +8552,7 @@ process where host.os.type == "macos" and event.type : "start" and process.name Branch count: 32 Document count: 32 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -8581,7 +8581,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python process where host.os.type == "macos" and event.type == "start" and @@ -8601,7 +8601,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8620,7 +8620,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-640 +Index: geneve-ut-0640 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8633,7 +8633,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8649,7 +8649,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8675,7 +8675,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8694,7 +8694,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-644 +Index: geneve-ut-0644 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8722,7 +8722,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8737,7 +8737,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8800,7 +8800,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 14 Document count: 14 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python any where host.os.type == "windows" and @@ -8825,7 +8825,7 @@ any where host.os.type == "windows" and Branch count: 3 Document count: 3 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python registry where host.os.type == "windows" and registry.path : ( @@ -8841,7 +8841,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-650 +Index: geneve-ut-0650 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -8859,7 +8859,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -8871,7 +8871,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 16 Document count: 16 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8888,7 +8888,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -8903,7 +8903,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 16 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python sequence by host.id, process.parent.entity_id with maxspan=5m @@ -8920,7 +8920,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python process where host.os.type == "linux" and event.type == "start" and @@ -8940,7 +8940,7 @@ event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "p Branch count: 2 Document count: 6 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python sequence by host.id, user.name with maxspan = 5s @@ -8969,7 +8969,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8982,7 +8982,7 @@ event.type == "change" and file.name : "notify_on_release" Branch count: 1 Document count: 1 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8995,7 +8995,7 @@ event.type == "change" and file.name : "release_agent" Branch count: 63 Document count: 63 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python process where event.type in ("start", "process_started", "info") and @@ -9019,7 +9019,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 12 Document count: 12 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python any where event.action : ("Directory Service Access", "object-operation-performed") and @@ -9054,7 +9054,7 @@ any where event.action : ("Directory Service Access", "object-operation-performe Branch count: 1 Document count: 1 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9072,7 +9072,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9095,7 +9095,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -9149,7 +9149,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python sequence by process.entity_id with maxspan=1m @@ -9167,7 +9167,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python sequence by process.entity_id @@ -9182,7 +9182,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python any where processor.name == "transaction" and @@ -9196,7 +9196,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9217,7 +9217,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9238,7 +9238,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -9263,7 +9263,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-684 +Index: geneve-ut-0684 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9276,7 +9276,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python file where host.os.type == "linux" and event.type != "deletion" and file.path == "/etc/doas.conf" @@ -9288,7 +9288,7 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path == Branch count: 2 Document count: 2 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9301,7 +9301,7 @@ process.parent.name == "proot" Branch count: 12 Document count: 12 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9319,7 +9319,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-688 +Index: geneve-ut-0688 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9332,7 +9332,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 4 -Index: geneve-ut-689 +Index: geneve-ut-0689 ```python sequence by process.entity_id with maxspan=3m @@ -9356,7 +9356,7 @@ sequence by process.entity_id with maxspan=3m Branch count: 42 Document count: 42 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python process where event.type == "start" and host.os.type == "windows" and @@ -9372,7 +9372,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-691 +Index: geneve-ut-0691 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9397,7 +9397,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and @@ -9410,7 +9410,7 @@ process.parent.args == "/etc/rc.local" and process.parent.args == "start" Branch count: 1 Document count: 4 -Index: geneve-ut-694 +Index: geneve-ut-0694 ```python sequence by host.id, user.id with maxspan=1s @@ -9432,7 +9432,7 @@ sequence by host.id, user.id with maxspan=1s Branch count: 204 Document count: 204 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9450,7 +9450,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-698 +Index: geneve-ut-0698 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9463,7 +9463,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9476,7 +9476,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9489,7 +9489,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9504,7 +9504,7 @@ not process.parent.command_line like "/opt/cloudlinux/*" Branch count: 60 Document count: 120 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python sequence by host.id with maxspan=1m @@ -9540,7 +9540,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python event.category:process and host.os.type:macos and event.type:start and @@ -9553,7 +9553,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9571,7 +9571,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -9585,7 +9585,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-710 +Index: geneve-ut-0710 ```python sequence by host.id with maxspan=30s @@ -9604,7 +9604,7 @@ sequence by host.id with maxspan=30s Branch count: 4 Document count: 4 -Index: geneve-ut-711 +Index: geneve-ut-0711 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9617,7 +9617,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 3 Document count: 6 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python sequence by host.id, process.parent.name with maxspan=1m @@ -9633,7 +9633,7 @@ sequence by host.id, process.parent.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9646,7 +9646,7 @@ process.name == "unshadow" and process.args_count >= 3 Branch count: 168 Document count: 168 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9676,7 +9676,7 @@ process.name in~ ( Branch count: 1 Document count: 10 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -9694,7 +9694,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 458 Document count: 458 -Index: geneve-ut-717 +Index: geneve-ut-0717 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9722,7 +9722,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9741,7 +9741,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python process where host.os.type == "windows" and @@ -9879,7 +9879,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python process where host.os.type == "windows" and @@ -9950,7 +9950,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python library where host.os.type == "windows" and event.action == "load" and @@ -9967,7 +9967,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 14 Document count: 14 -Index: geneve-ut-725 +Index: geneve-ut-0725 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9993,7 +9993,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-727 +Index: geneve-ut-0727 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -10005,7 +10005,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10046,7 +10046,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( @@ -10060,7 +10060,7 @@ network where process.name : ("http", "https") and destination.port not in (80, Branch count: 4 Document count: 8 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python sequence by process.entity_id with maxspan=1m @@ -10088,7 +10088,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -10129,7 +10129,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 2 Document count: 2 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python network where host.os.type == "windows" and @@ -10155,7 +10155,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10168,7 +10168,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 85 Document count: 85 -Index: geneve-ut-740 +Index: geneve-ut-0740 ```python file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and @@ -10238,7 +10238,7 @@ file.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10252,7 +10252,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-742 +Index: geneve-ut-0742 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10265,7 +10265,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10289,7 +10289,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-744 +Index: geneve-ut-0744 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10309,7 +10309,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 45 Document count: 45 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python host.os.type:windows and event.category:process and @@ -10346,7 +10346,7 @@ host.os.type:windows and event.category:process and Branch count: 696 Document count: 696 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python event.category:process and host.os.type:windows and @@ -10539,7 +10539,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -10555,7 +10555,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-750 +Index: geneve-ut-0750 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -10569,7 +10569,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-751 +Index: geneve-ut-0751 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10586,7 +10586,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-752 +Index: geneve-ut-0752 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -10600,7 +10600,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-753 +Index: geneve-ut-0753 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -10616,7 +10616,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-757 +Index: geneve-ut-0757 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -10632,7 +10632,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -10644,7 +10644,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -10660,7 +10660,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python sequence by host.id with maxspan=1m @@ -10680,7 +10680,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -10692,7 +10692,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python iam where event.action == "renamed-user-account" and @@ -10706,7 +10706,7 @@ iam where event.action == "renamed-user-account" and Branch count: 18 Document count: 18 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python process where host.os.type == "windows" and event.action == "start" and @@ -10729,7 +10729,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python sequence by host.id, process.entity_id with maxspan=3s @@ -10750,7 +10750,7 @@ sequence by host.id, process.entity_id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python process where host.os.type == "linux" and event.type == "start" and @@ -10763,7 +10763,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-775 +Index: geneve-ut-0775 ```python file where host.os.type == "windows" and @@ -10778,7 +10778,7 @@ file where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python /* Identifies the modification of RDP Shadow registry or @@ -10806,7 +10806,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-777 +Index: geneve-ut-0777 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10821,7 +10821,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python sequence with maxspan=1m @@ -10863,7 +10863,7 @@ sequence with maxspan=1m Branch count: 864 Document count: 1728 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python sequence by host.id with maxspan=5s @@ -10883,7 +10883,7 @@ sequence by host.id with maxspan=5s Branch count: 80 Document count: 80 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python process where event.type in ("start", "process_started") and @@ -10904,7 +10904,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 32 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10918,7 +10918,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 432 Document count: 864 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -10938,7 +10938,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 288 Document count: 576 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python sequence by host.id with maxspan=5s @@ -10967,7 +10967,7 @@ sequence by host.id with maxspan=5s Branch count: 40 Document count: 40 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10983,7 +10983,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-789 +Index: geneve-ut-0789 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -10995,7 +10995,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 2 Document count: 2 -Index: geneve-ut-790 +Index: geneve-ut-0790 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -11009,7 +11009,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 32 Document count: 96 -Index: geneve-ut-792 +Index: geneve-ut-0792 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -11037,7 +11037,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-793 +Index: geneve-ut-0793 ```python sequence by host.id with maxspan=1s @@ -11059,7 +11059,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 8 -Index: geneve-ut-797 +Index: geneve-ut-0797 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -11088,7 +11088,7 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( Branch count: 4 Document count: 4 -Index: geneve-ut-798 +Index: geneve-ut-0798 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11101,7 +11101,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-799 +Index: geneve-ut-0799 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -11117,7 +11117,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-800 +Index: geneve-ut-0800 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -11131,7 +11131,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-801 +Index: geneve-ut-0801 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -11161,7 +11161,7 @@ file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-802 +Index: geneve-ut-0802 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11174,7 +11174,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-803 +Index: geneve-ut-0803 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -11190,7 +11190,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-804 +Index: geneve-ut-0804 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11207,7 +11207,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-805 +Index: geneve-ut-0805 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -11220,7 +11220,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 4 Document count: 4 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and @@ -11237,7 +11237,7 @@ process.executable : ( Branch count: 8 Document count: 16 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -11253,7 +11253,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-812 +Index: geneve-ut-0812 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11270,7 +11270,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 16 -Index: geneve-ut-813 +Index: geneve-ut-0813 ```python sequence by okta.actor.id with maxspan=10m @@ -11290,7 +11290,7 @@ sequence by okta.actor.id with maxspan=10m Branch count: 72 Document count: 72 -Index: geneve-ut-814 +Index: geneve-ut-0814 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11306,7 +11306,7 @@ process.parent.name in ("screen", "tmux") and process.name like ( Branch count: 21 Document count: 21 -Index: geneve-ut-815 +Index: geneve-ut-0815 ```python event.category:process and host.os.type:windows and @@ -11331,7 +11331,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-817 +Index: geneve-ut-0817 ```python event.category:process and host.os.type:windows and @@ -11350,7 +11350,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-819 +Index: geneve-ut-0819 ```python event.category:process and host.os.type:windows and @@ -11373,7 +11373,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -11385,7 +11385,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python event.category:process and host.os.type:windows and @@ -11409,7 +11409,7 @@ event.category:process and host.os.type:windows and Branch count: 6 Document count: 6 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11426,7 +11426,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 80 Document count: 80 -Index: geneve-ut-839 +Index: geneve-ut-0839 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "lp" and @@ -11446,7 +11446,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 4 Document count: 8 -Index: geneve-ut-842 +Index: geneve-ut-0842 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -11479,7 +11479,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 2 Document count: 4 -Index: geneve-ut-843 +Index: geneve-ut-0843 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=1m @@ -11496,7 +11496,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=1m Branch count: 4 Document count: 4 -Index: geneve-ut-844 +Index: geneve-ut-0844 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11510,7 +11510,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-845 +Index: geneve-ut-0845 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -11524,7 +11524,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-846 +Index: geneve-ut-0846 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -11537,7 +11537,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 426 Document count: 426 -Index: geneve-ut-847 +Index: geneve-ut-0847 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -11580,7 +11580,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 20 Document count: 20 -Index: geneve-ut-848 +Index: geneve-ut-0848 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11606,7 +11606,7 @@ registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-849 +Index: geneve-ut-0849 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -11623,7 +11623,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-852 +Index: geneve-ut-0852 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11637,7 +11637,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-853 +Index: geneve-ut-0853 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11651,7 +11651,7 @@ user.id != "0" Branch count: 2 Document count: 2 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11668,7 +11668,7 @@ process.name == "setcap" and not ( Branch count: 96 Document count: 96 -Index: geneve-ut-856 +Index: geneve-ut-0856 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -11743,7 +11743,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-857 +Index: geneve-ut-0857 ```python sequence by winlog.computer_name with maxspan=1m @@ -11764,7 +11764,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11783,7 +11783,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-859 +Index: geneve-ut-0859 ```python process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( @@ -11798,7 +11798,7 @@ not process.parent.name in ("amazon-ssm-agent", "snap") Branch count: 66 Document count: 66 -Index: geneve-ut-860 +Index: geneve-ut-0860 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11851,7 +11851,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-861 +Index: geneve-ut-0861 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11863,7 +11863,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-862 +Index: geneve-ut-0862 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11875,7 +11875,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-863 +Index: geneve-ut-0863 ```python process where host.os.type == "windows" and process.name: "MSBuild.exe" and @@ -11888,7 +11888,7 @@ process where host.os.type == "windows" and process.name: "MSBuild.exe" and Branch count: 114 Document count: 114 -Index: geneve-ut-864 +Index: geneve-ut-0864 ```python process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and @@ -11931,7 +11931,7 @@ not ( Branch count: 72 Document count: 144 -Index: geneve-ut-866 +Index: geneve-ut-0866 ```python sequence by host.id with maxspan=5s @@ -11979,7 +11979,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 4 -Index: geneve-ut-867 +Index: geneve-ut-0867 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -11992,7 +11992,7 @@ process.name : "* " Branch count: 4 Document count: 4 -Index: geneve-ut-868 +Index: geneve-ut-0868 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12029,7 +12029,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-869 +Index: geneve-ut-0869 ```python process where event.action == "exec" and host.os.type == "macos" and @@ -12049,7 +12049,7 @@ process where event.action == "exec" and host.os.type == "macos" and Branch count: 4 Document count: 4 -Index: geneve-ut-870 +Index: geneve-ut-0870 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -12062,7 +12062,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-871 +Index: geneve-ut-0871 ```python sequence by process.entity_id @@ -12086,7 +12086,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-872 +Index: geneve-ut-0872 ```python file where event.action == "extended_attributes_delete" and host.os.type == "macos" and process.executable != null and @@ -12105,7 +12105,7 @@ file.path : "/private/var/folders/*" Branch count: 6 Document count: 6 -Index: geneve-ut-875 +Index: geneve-ut-0875 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12129,7 +12129,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 8 -Index: geneve-ut-876 +Index: geneve-ut-0876 ```python sequence by process.entity_id with maxspan=1m @@ -12144,7 +12144,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-880 +Index: geneve-ut-0880 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -12156,7 +12156,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-881 +Index: geneve-ut-0881 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -12168,7 +12168,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 3 Document count: 3 -Index: geneve-ut-887 +Index: geneve-ut-0887 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12185,7 +12185,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-888 +Index: geneve-ut-0888 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12215,7 +12215,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 18 Document count: 18 -Index: geneve-ut-890 +Index: geneve-ut-0890 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12230,7 +12230,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-891 +Index: geneve-ut-0891 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12249,7 +12249,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 13 Document count: 13 -Index: geneve-ut-893 +Index: geneve-ut-0893 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12266,7 +12266,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-894 +Index: geneve-ut-0894 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -12289,7 +12289,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-895 +Index: geneve-ut-0895 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12303,7 +12303,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-896 +Index: geneve-ut-0896 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12317,7 +12317,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-897 +Index: geneve-ut-0897 ```python sequence by process.entity_id with maxspan=30s @@ -12341,7 +12341,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-898 +Index: geneve-ut-0898 ```python sequence by host.id, process.entity_id @@ -12357,7 +12357,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-899 +Index: geneve-ut-0899 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12372,7 +12372,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-900 +Index: geneve-ut-0900 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -12392,7 +12392,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 1 Document count: 1 -Index: geneve-ut-901 +Index: geneve-ut-0901 ```python iam where event.action == "scheduled-task-created" and @@ -12405,7 +12405,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 2 -Index: geneve-ut-903 +Index: geneve-ut-0903 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -12447,7 +12447,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-904 +Index: geneve-ut-0904 ```python sequence with maxspan=1m @@ -12470,7 +12470,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-905 +Index: geneve-ut-0905 ```python sequence with maxspan=1s @@ -12518,7 +12518,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-906 +Index: geneve-ut-0906 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12531,7 +12531,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-908 +Index: geneve-ut-0908 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12551,7 +12551,7 @@ process.name in ("update-ca-trust", "update-ca-certificates") and not ( Branch count: 2 Document count: 4 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=30s @@ -12568,7 +12568,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=30s Branch count: 48 Document count: 48 -Index: geneve-ut-910 +Index: geneve-ut-0910 ```python (event.dataset: (network_traffic.http or network_traffic.tls) or @@ -12615,7 +12615,7 @@ Index: geneve-ut-910 Branch count: 1 Document count: 1 -Index: geneve-ut-911 +Index: geneve-ut-0911 ```python event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com @@ -12628,7 +12628,7 @@ event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com Branch count: 4 Document count: 4 -Index: geneve-ut-912 +Index: geneve-ut-0912 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") @@ -12641,7 +12641,7 @@ and file.path : "/etc/selinux/config" Branch count: 32 Document count: 32 -Index: geneve-ut-913 +Index: geneve-ut-0913 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and @@ -12662,7 +12662,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-916 +Index: geneve-ut-0916 ```python (event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 @@ -12674,7 +12674,7 @@ Index: geneve-ut-916 Branch count: 6 Document count: 6 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python file where container.id:"*" and @@ -12687,7 +12687,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-919 +Index: geneve-ut-0919 ```python process where container.id: "*" and event.type == "start" and @@ -12708,7 +12708,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-920 +Index: geneve-ut-0920 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and @@ -12722,7 +12722,7 @@ not file.name : "known_hosts.*" Branch count: 6 Document count: 6 -Index: geneve-ut-921 +Index: geneve-ut-0921 ```python process where container.id: "*" and event.type== "start" and @@ -12736,7 +12736,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 2 Document count: 2 -Index: geneve-ut-922 +Index: geneve-ut-0922 ```python file where host.os.type == "linux" and event.type == "deletion" and file.path : "/etc/ssl/certs/*" and @@ -12749,7 +12749,7 @@ file.extension in ("pem", "crt") and not process.name in ("dockerd", "pacman") Branch count: 36 Document count: 36 -Index: geneve-ut-925 +Index: geneve-ut-0925 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12767,7 +12767,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-927 +Index: geneve-ut-0927 ```python sequence by host.id with maxspan = 30s @@ -12788,7 +12788,7 @@ sequence by host.id with maxspan = 30s Branch count: 6 Document count: 6 -Index: geneve-ut-929 +Index: geneve-ut-0929 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12805,7 +12805,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-930 +Index: geneve-ut-0930 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12820,7 +12820,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 27 Document count: 27 -Index: geneve-ut-931 +Index: geneve-ut-0931 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -12861,7 +12861,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-933 +Index: geneve-ut-0933 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -12895,7 +12895,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-934 +Index: geneve-ut-0934 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12909,7 +12909,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 112 Document count: 112 -Index: geneve-ut-935 +Index: geneve-ut-0935 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12929,7 +12929,7 @@ process.args like ( Branch count: 2 Document count: 2 -Index: geneve-ut-936 +Index: geneve-ut-0936 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12943,7 +12943,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 116 Document count: 116 -Index: geneve-ut-937 +Index: geneve-ut-0937 ```python process where event.type == "start" and @@ -13004,7 +13004,7 @@ process.name : "grep" and user.id != "0" and Branch count: 270 Document count: 270 -Index: geneve-ut-940 +Index: geneve-ut-0940 ```python process where container.id: "*" and event.type== "start" and @@ -13047,7 +13047,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-941 +Index: geneve-ut-0941 ```python process where container.id: "*" and event.type== "start" and @@ -13071,7 +13071,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-942 +Index: geneve-ut-0942 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -13084,7 +13084,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 6 Document count: 6 -Index: geneve-ut-943 +Index: geneve-ut-0943 ```python file where host.os.type == "windows" and @@ -13105,7 +13105,7 @@ file where host.os.type == "windows" and Branch count: 16 Document count: 32 -Index: geneve-ut-944 +Index: geneve-ut-0944 ```python sequence by process.entity_id with maxspan = 1m @@ -13122,7 +13122,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-945 +Index: geneve-ut-0945 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -13142,7 +13142,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-946 +Index: geneve-ut-0946 ```python sequence by winlog.computer_name with maxspan=5m @@ -13166,7 +13166,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-947 +Index: geneve-ut-0947 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13181,7 +13181,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-948 +Index: geneve-ut-0948 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13202,7 +13202,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-949 +Index: geneve-ut-0949 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13225,7 +13225,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-950 +Index: geneve-ut-0950 ```python process where event.type == "start" and process.name : "sc.exe" and @@ -13238,7 +13238,7 @@ process where event.type == "start" and process.name : "sc.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-951 +Index: geneve-ut-0951 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -13254,7 +13254,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-952 +Index: geneve-ut-0952 ```python file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and @@ -13267,7 +13267,7 @@ file.path == "/etc/shadow" and file.Ext.original.path != null Branch count: 1 Document count: 1 -Index: geneve-ut-953 +Index: geneve-ut-0953 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -13279,7 +13279,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 264 Document count: 264 -Index: geneve-ut-955 +Index: geneve-ut-0955 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( @@ -13327,7 +13327,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an Branch count: 72 Document count: 144 -Index: geneve-ut-956 +Index: geneve-ut-0956 ```python sequence by host.id with maxspan=5s @@ -13341,7 +13341,7 @@ sequence by host.id with maxspan=5s Branch count: 162 Document count: 162 -Index: geneve-ut-957 +Index: geneve-ut-0957 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -13363,7 +13363,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-958 +Index: geneve-ut-0958 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13382,7 +13382,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-959 +Index: geneve-ut-0959 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13396,7 +13396,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 42 Document count: 42 -Index: geneve-ut-960 +Index: geneve-ut-0960 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Start" and @@ -13423,7 +13423,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 12 Document count: 24 -Index: geneve-ut-974 +Index: geneve-ut-0974 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -13448,7 +13448,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-975 +Index: geneve-ut-0975 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13481,7 +13481,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-978 +Index: geneve-ut-0978 ```python beacon_stats.is_beaconing: true and @@ -13499,7 +13499,7 @@ not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or " Branch count: 1 Document count: 1 -Index: geneve-ut-979 +Index: geneve-ut-0979 ```python beacon_stats.beaconing_score: 3 @@ -13511,7 +13511,7 @@ beacon_stats.beaconing_score: 3 Branch count: 2 Document count: 6 -Index: geneve-ut-980 +Index: geneve-ut-0980 ```python sequence by user.name with maxspan=12h @@ -13526,7 +13526,7 @@ sequence by user.name with maxspan=12h Branch count: 4 Document count: 4 -Index: geneve-ut-981 +Index: geneve-ut-0981 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -13551,7 +13551,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-983 +Index: geneve-ut-0983 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13566,7 +13566,7 @@ not process.args == "dpkg" Branch count: 16 Document count: 16 -Index: geneve-ut-986 +Index: geneve-ut-0986 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13580,7 +13580,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-987 +Index: geneve-ut-0987 ```python event.category:process and host.os.type:windows and @@ -13611,7 +13611,7 @@ event.category:process and host.os.type:windows and Branch count: 16 Document count: 16 -Index: geneve-ut-988 +Index: geneve-ut-0988 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13626,7 +13626,7 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en Branch count: 152 Document count: 304 -Index: geneve-ut-989 +Index: geneve-ut-0989 ```python sequence by host.id with maxspan=5s @@ -13648,7 +13648,7 @@ sequence by host.id with maxspan=5s Branch count: 8 Document count: 16 -Index: geneve-ut-990 +Index: geneve-ut-0990 ```python sequence by host.id with maxspan=5s @@ -13675,7 +13675,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-992 +Index: geneve-ut-0992 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -13687,7 +13687,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 4 Document count: 4 -Index: geneve-ut-993 +Index: geneve-ut-0993 ```python file where host.os.type == "windows" and event.type != "deletion" and file.path != null and @@ -13719,7 +13719,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path Branch count: 2 Document count: 4 -Index: geneve-ut-994 +Index: geneve-ut-0994 ```python sequence by host.id with maxspan=30s @@ -13733,7 +13733,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-995 +Index: geneve-ut-0995 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13765,7 +13765,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-996 +Index: geneve-ut-0996 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -13789,7 +13789,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-997 +Index: geneve-ut-0997 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13803,7 +13803,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-998 +Index: geneve-ut-0998 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13826,7 +13826,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-999 +Index: geneve-ut-0999 ```python process where host.os.type == "windows" and event.type == "start" and diff --git a/tests/reports/alerts_from_rules-8.15.md b/tests/reports/alerts_from_rules-8.15.md index b3c71f60..512e185a 100644 --- a/tests/reports/alerts_from_rules-8.15.md +++ b/tests/reports/alerts_from_rules-8.15.md @@ -19,7 +19,7 @@ Rules version: 8.15.10 Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python sequence by host.id, user.id with maxspan=1m @@ -44,7 +44,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -63,7 +63,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -82,7 +82,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -142,7 +142,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -159,7 +159,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 8748 Document count: 17496 -Index: geneve-ut-892 +Index: geneve-ut-0892 ```python sequence with maxspan=1m @@ -264,7 +264,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -277,7 +277,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -290,7 +290,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4 Document count: 8 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -310,7 +310,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 Failure message(s): got 1000 signals, expected 4608 @@ -337,7 +337,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 Failure message(s): got 1000 signals, expected 1024 @@ -358,7 +358,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 Failure message(s): got 1000 signals, expected 1024 @@ -379,7 +379,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 6 Document count: 12 -Index: geneve-ut-754 +Index: geneve-ut-0754 Failure message(s): got 5 signals, expected 6 @@ -396,7 +396,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 Failure message(s): got 1000 signals, expected 1794 @@ -458,7 +458,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 Failure message(s): got 1000 signals, expected 2048 @@ -477,7 +477,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 32 Document count: 64 -Index: geneve-ut-841 +Index: geneve-ut-0841 Failure message(s): got 24 signals, expected 32 @@ -502,7 +502,7 @@ sequence by host.id, process.pid with maxspan=1s Branch count: 8748 Document count: 17496 -Index: geneve-ut-892 +Index: geneve-ut-0892 Failure message(s): got 1000 signals, expected 8748 @@ -632,7 +632,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -659,7 +659,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -689,7 +689,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 8 Document count: 8 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -725,7 +725,7 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -737,7 +737,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail @@ -752,7 +752,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -764,7 +764,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -776,7 +776,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -788,7 +788,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -800,7 +800,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -812,7 +812,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -827,7 +827,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -839,7 +839,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python process where event.module == "cloud_defend" and @@ -856,7 +856,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -869,7 +869,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -881,7 +881,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -895,7 +895,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset: aws.cloudtrail @@ -910,7 +910,7 @@ event.dataset: aws.cloudtrail Branch count: 2 Document count: 2 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -922,7 +922,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -934,7 +934,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 6 Document count: 6 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset: "aws.cloudtrail" @@ -955,7 +955,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -967,7 +967,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -979,7 +979,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-033 +Index: geneve-ut-0033 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -992,7 +992,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -1005,7 +1005,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -1019,7 +1019,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -1032,7 +1032,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -1044,7 +1044,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -1056,7 +1056,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -1068,7 +1068,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -1080,7 +1080,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -1092,7 +1092,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" @@ -1105,7 +1105,7 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -1117,7 +1117,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail @@ -1132,7 +1132,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset: aws.cloudtrail @@ -1148,7 +1148,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail @@ -1163,7 +1163,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -1175,7 +1175,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -1187,7 +1187,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-057 +Index: geneve-ut-0057 ```python event.dataset: "aws.cloudtrail" @@ -1202,7 +1202,7 @@ event.dataset: "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python event.dataset: aws.cloudtrail @@ -1217,7 +1217,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -1229,7 +1229,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -1241,7 +1241,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python any where event.dataset == "aws.cloudtrail" @@ -1256,7 +1256,7 @@ any where event.dataset == "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" @@ -1269,7 +1269,7 @@ event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -1281,7 +1281,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -1293,7 +1293,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -1305,7 +1305,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -1317,7 +1317,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -1329,7 +1329,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -1341,7 +1341,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-076 +Index: geneve-ut-0076 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -1356,7 +1356,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-077 +Index: geneve-ut-0077 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -1368,7 +1368,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-078 +Index: geneve-ut-0078 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -1380,7 +1380,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-079 +Index: geneve-ut-0079 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1393,7 +1393,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1406,7 +1406,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1419,7 +1419,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1434,7 +1434,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1447,7 +1447,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1459,7 +1459,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1471,7 +1471,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1483,7 +1483,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1499,7 +1499,7 @@ Index: geneve-ut-108 Branch count: 4 Document count: 4 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python process where host.os.type == "linux" and event.type == "start" and @@ -1516,7 +1516,7 @@ process.name == "setfacl" and not ( Branch count: 12 Document count: 12 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1561,7 +1561,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 8 Document count: 8 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and @@ -1596,7 +1596,7 @@ any where event.action in ("Directory Service Access", "object-operation-perform Branch count: 4 Document count: 4 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1613,7 +1613,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1633,7 +1633,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python sequence by winlog.computer_name with maxspan=1m @@ -1661,7 +1661,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 48 Document count: 48 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -1679,7 +1679,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 1 Document count: 1 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python iam where winlog.api == "wineventlog" and event.code == "4728" and @@ -1695,7 +1695,7 @@ not group.id : "S-1-5-21-*-513" Branch count: 36 Document count: 36 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1715,7 +1715,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1729,7 +1729,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and @@ -1742,7 +1742,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 1 Document count: 1 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1754,7 +1754,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1766,7 +1766,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1781,7 +1781,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1793,7 +1793,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.agent_id_status:(agent_id_mismatch or mismatch) @@ -1805,7 +1805,7 @@ event.agent_id_status:(agent_id_mismatch or mismatch) Branch count: 1 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1824,7 +1824,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1840,7 +1840,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1852,7 +1852,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1867,7 +1867,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 8 Document count: 8 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python file where host.os.type == "linux" and @@ -1897,7 +1897,7 @@ event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/* Branch count: 1 Document count: 1 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1909,7 +1909,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 4 Document count: 4 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -1922,7 +1922,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1934,7 +1934,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1946,7 +1946,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1958,7 +1958,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1970,7 +1970,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1982,7 +1982,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1994,7 +1994,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.dataset:okta.system and event.action:zone.delete @@ -2006,7 +2006,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -2018,7 +2018,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -2030,7 +2030,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 20 Document count: 20 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -2047,7 +2047,7 @@ process.args in ("auditd", "auditd.service") Branch count: 2 Document count: 2 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2060,7 +2060,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 74 Document count: 74 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2088,7 +2088,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2104,7 +2104,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2117,7 +2117,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2131,7 +2131,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 10 Document count: 10 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2154,7 +2154,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2169,7 +2169,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -2181,7 +2181,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -2193,7 +2193,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -2205,7 +2205,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -2217,7 +2217,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -2236,7 +2236,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -2248,7 +2248,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -2260,7 +2260,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2273,7 +2273,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -2285,7 +2285,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 3 Document count: 3 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2315,7 +2315,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -2330,7 +2330,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2344,7 +2344,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python event.dataset:azure.signinlogs and @@ -2358,7 +2358,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python event.dataset:azure.signinlogs and @@ -2371,7 +2371,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.dataset:azure.signinlogs and @@ -2385,7 +2385,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -2398,7 +2398,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -2410,7 +2410,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -2422,7 +2422,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python event.dataset:azure.activitylogs and @@ -2441,7 +2441,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python event.dataset:azure.activitylogs and @@ -2455,7 +2455,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python event.dataset:azure.activitylogs and @@ -2473,7 +2473,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2485,7 +2485,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2500,7 +2500,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2512,7 +2512,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2525,7 +2525,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2537,7 +2537,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2549,7 +2549,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2561,7 +2561,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -2573,7 +2573,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 2 Document count: 2 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2585,7 +2585,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2597,7 +2597,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2615,7 +2615,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2631,7 +2631,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2643,7 +2643,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2656,7 +2656,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2669,7 +2669,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2684,7 +2684,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2696,7 +2696,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2708,7 +2708,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2720,7 +2720,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2732,7 +2732,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2744,7 +2744,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2756,7 +2756,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2774,7 +2774,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and @@ -2788,7 +2788,7 @@ not process.parent.executable == "/usr/sbin/libvirtd" Branch count: 16 Document count: 16 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -2802,7 +2802,7 @@ not process.args in ("--help", "--version") Branch count: 9 Document count: 9 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python event.category:file and event.type:change and @@ -2827,7 +2827,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2842,7 +2842,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2857,7 +2857,7 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ Branch count: 13 Document count: 13 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2879,7 +2879,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python file where host.os.type == "windows" and event.type : "creation" and @@ -2908,7 +2908,7 @@ file where host.os.type == "windows" and event.type : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2929,7 +2929,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2949,7 +2949,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 36 Document count: 36 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2970,7 +2970,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2995,7 +2995,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3009,7 +3009,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3027,7 +3027,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -3047,7 +3047,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python sequence by process.entity_id @@ -3070,7 +3070,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3087,7 +3087,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3149,7 +3149,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python library where host.os.type == "windows" and event.action == "load" and @@ -3179,7 +3179,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 24 Document count: 24 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3204,7 +3204,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python sequence by process.entity_id @@ -3225,7 +3225,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python sequence by process.entity_id @@ -3246,7 +3246,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python process where container.id: "*" and event.type== "start" @@ -3259,7 +3259,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python event.kind:alert and event.module:cloud_defend @@ -3271,7 +3271,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 12 Document count: 12 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3294,7 +3294,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3314,7 +3314,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -3327,7 +3327,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and @@ -3340,7 +3340,7 @@ not process.name == "dockerd" Branch count: 2 Document count: 2 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and @@ -3355,7 +3355,7 @@ file.extension == "ko" and not process.name : ( Branch count: 1 Document count: 1 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -3372,7 +3372,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -3386,7 +3386,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 3 Document count: 3 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3403,7 +3403,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -3415,7 +3415,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 12 Document count: 12 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Blob" and @@ -3464,7 +3464,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and @@ -3482,7 +3482,7 @@ file where host.os.type == "windows" and event.type != "deletion" and event.acti Branch count: 8 Document count: 8 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3497,7 +3497,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3509,7 +3509,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3521,7 +3521,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3533,7 +3533,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3545,7 +3545,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 80 Document count: 80 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python file where host.os.type == "linux" and @@ -3587,7 +3587,7 @@ event.action in ("rename", "creation") and file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3607,7 +3607,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 128 Document count: 128 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3629,7 +3629,7 @@ process.name == "curl" and ( Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -3641,7 +3641,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python event.dataset:cyberarkpas.audit and @@ -3656,7 +3656,7 @@ event.dataset:cyberarkpas.audit and Branch count: 16 Document count: 16 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -3687,7 +3687,7 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* Branch count: 3 Document count: 3 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3703,7 +3703,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 5 Document count: 5 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3721,7 +3721,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -3736,7 +3736,7 @@ Index: geneve-ut-264 Branch count: 2 Document count: 2 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3750,7 +3750,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3764,7 +3764,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "mkdir" and @@ -3778,7 +3778,7 @@ not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir") Branch count: 12 Document count: 12 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3806,7 +3806,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3823,7 +3823,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3848,7 +3848,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3865,7 +3865,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3880,7 +3880,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3892,7 +3892,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3905,7 +3905,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3917,7 +3917,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 10 Document count: 20 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python sequence by process.entity_id with maxspan=1m @@ -3935,7 +3935,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 24 Document count: 24 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -3970,7 +3970,7 @@ not ( Branch count: 12 Document count: 12 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3985,7 +3985,7 @@ not process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewag Branch count: 108 Document count: 108 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python process where host.os.type == "linux" and event.type == "start" and @@ -4001,7 +4001,7 @@ not process.parent.executable == "/usr/share/qemu/init/qemu-kvm-init" Branch count: 12 Document count: 12 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -4015,7 +4015,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 2 Document count: 2 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -4027,7 +4027,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 1 Document count: 2 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python sequence by host.id with maxspan=3s @@ -4050,7 +4050,7 @@ sequence by host.id with maxspan=3s Branch count: 203 Document count: 203 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python process where @@ -4081,7 +4081,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -4094,7 +4094,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4108,7 +4108,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python registry where host.os.type == "windows" and @@ -4122,7 +4122,7 @@ registry where host.os.type == "windows" and Branch count: 16 Document count: 16 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4157,7 +4157,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -4169,7 +4169,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 3 Document count: 3 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python event.dataset:(azure.activitylogs or azure.signinlogs) @@ -4186,7 +4186,7 @@ event.dataset:(azure.activitylogs or azure.signinlogs) Branch count: 2 Document count: 2 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4200,7 +4200,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4219,7 +4219,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4246,7 +4246,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 276 Document count: 276 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -4277,7 +4277,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python event.category:process and host.os.type:windows and @@ -4290,7 +4290,7 @@ event.category:process and host.os.type:windows and Branch count: 378 Document count: 378 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4319,7 +4319,7 @@ process.args : ( Branch count: 64 Document count: 64 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -4347,7 +4347,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4360,7 +4360,7 @@ process.name : ("kworker*", "kthread*") and process.executable != null Branch count: 4 Document count: 8 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python sequence by process.entity_id with maxspan=5m @@ -4380,7 +4380,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 4 Document count: 4 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4404,7 +4404,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 72 Document count: 144 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python sequence with maxspan=2h @@ -4430,7 +4430,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python sequence with maxspan=2h @@ -4455,7 +4455,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -4484,7 +4484,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -4496,7 +4496,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -4519,7 +4519,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python sequence by user.id with maxspan=5s @@ -4534,7 +4534,7 @@ sequence by user.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -4546,7 +4546,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 6 Document count: 6 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4566,7 +4566,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python process where host.os.type == "windows" and event.type : "start" and @@ -4600,7 +4600,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -4612,7 +4612,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4626,7 +4626,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -4639,7 +4639,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4651,7 +4651,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4663,7 +4663,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4677,7 +4677,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -4689,7 +4689,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 1 Document count: 1 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python file where host.os.type == "windows" and event.code : "2" and @@ -4721,7 +4721,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 16 Document count: 32 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python sequence by host.id with maxspan=10s @@ -4738,7 +4738,7 @@ sequence by host.id with maxspan=10s Branch count: 4 Document count: 4 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( @@ -4752,7 +4752,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 20 Document count: 20 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -4768,7 +4768,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -4783,7 +4783,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python process where event.module == "cloud_defend" and @@ -4798,7 +4798,7 @@ process where event.module == "cloud_defend" and Branch count: 375 Document count: 750 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python sequence by process.entity_id @@ -4825,7 +4825,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4846,7 +4846,7 @@ not ( Branch count: 2 Document count: 2 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python process where host.os.type == "linux" and event.type == "start" and process.parent.executable != null and @@ -4865,7 +4865,7 @@ process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and n Branch count: 11 Document count: 11 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4891,7 +4891,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4921,7 +4921,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python event.dataset: google_workspace.alert @@ -4933,7 +4933,7 @@ event.dataset: google_workspace.alert Branch count: 8 Document count: 8 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python registry where host.os.type == "windows" and @@ -4951,7 +4951,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4963,7 +4963,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4975,7 +4975,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4987,7 +4987,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4999,7 +4999,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -5011,7 +5011,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -5023,7 +5023,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -5035,7 +5035,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -5047,7 +5047,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -5059,7 +5059,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -5071,7 +5071,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -5083,7 +5083,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -5095,7 +5095,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -5107,7 +5107,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -5119,7 +5119,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -5131,7 +5131,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -5143,7 +5143,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -5155,7 +5155,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -5167,7 +5167,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -5179,7 +5179,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -5191,7 +5191,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -5203,7 +5203,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -5215,7 +5215,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -5227,7 +5227,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 575 Document count: 575 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ( @@ -5251,7 +5251,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 64 Document count: 128 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python sequence by host.id with maxspan=3s @@ -5269,7 +5269,7 @@ sequence by host.id with maxspan=3s Branch count: 4 Document count: 4 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and @@ -5297,7 +5297,7 @@ file.extension == null and process.executable != null and not ( Branch count: 8 Document count: 16 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python sequence by host.id with maxspan=3s @@ -5322,7 +5322,7 @@ sequence by host.id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" @@ -5334,7 +5334,7 @@ configuration where event.dataset == "github.audit" and github.category == "inte Branch count: 1 Document count: 1 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -5346,7 +5346,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" @@ -5358,7 +5358,7 @@ configuration where event.dataset == "github.audit" and event.action == "persona Branch count: 1 Document count: 1 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python configuration where event.dataset == "github.audit" @@ -5371,7 +5371,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python configuration where event.dataset == "github.audit" and event.action == "repo.create" @@ -5383,7 +5383,7 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr Branch count: 1 Document count: 1 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -5395,7 +5395,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python configuration where event.dataset == "github.audit" and event.action == "org.block_user" @@ -5407,7 +5407,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.blo Branch count: 1 Document count: 1 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -5420,7 +5420,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -5432,7 +5432,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python event.dataset:google_workspace.admin @@ -5448,7 +5448,7 @@ event.dataset:google_workspace.admin Branch count: 1 Document count: 1 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -5461,7 +5461,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -5473,7 +5473,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5486,7 +5486,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -5498,7 +5498,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -5511,7 +5511,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -5528,7 +5528,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -5542,7 +5542,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python sequence by source.user.email with maxspan=3m @@ -5566,7 +5566,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -5587,7 +5587,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5601,7 +5601,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -5613,7 +5613,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -5625,7 +5625,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -5638,7 +5638,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5651,7 +5651,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -5672,7 +5672,7 @@ process.name == "mkdir" and process.parent.executable like ( Branch count: 1 Document count: 1 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags" @@ -5684,7 +5684,7 @@ file where host.os.type == "linux" and event.type == "creation" and process.name Branch count: 1 Document count: 2 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python sequence by process.entity_id with maxspan=5m @@ -5701,7 +5701,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python any where @@ -5730,7 +5730,7 @@ any where Branch count: 12 Document count: 12 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5743,7 +5743,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5758,7 +5758,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -5770,7 +5770,7 @@ Index: geneve-ut-439 Branch count: 8 Document count: 8 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5787,7 +5787,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python sequence with maxspan=1m @@ -5806,7 +5806,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python sequence by host.id with maxspan=1m @@ -5824,7 +5824,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python sequence by host.id with maxspan=5s @@ -5843,7 +5843,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python sequence by host.id with maxspan = 30s @@ -5859,7 +5859,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python sequence by host.id with maxspan=30s @@ -5875,7 +5875,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5888,7 +5888,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python event.dataset: "aws.cloudtrail" @@ -5906,7 +5906,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5919,7 +5919,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -5935,7 +5935,7 @@ sequence by process.entity_id Branch count: 3 Document count: 3 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5958,7 +5958,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5979,7 +5979,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python process where container.id : "*" and event.type== "start" and @@ -6000,7 +6000,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -6013,7 +6013,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6031,7 +6031,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python iam where event.action == "modified-user-account" and event.code == "4738" and @@ -6044,7 +6044,7 @@ iam where event.action == "modified-user-account" and event.code == "4738" and Branch count: 2 Document count: 2 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -6058,7 +6058,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -6117,7 +6117,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -6130,7 +6130,7 @@ auditd.data.syscall in ("init_module", "finit_module") Branch count: 2 Document count: 2 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -6143,7 +6143,7 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" Branch count: 24 Document count: 24 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6157,7 +6157,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" and @@ -6173,7 +6173,7 @@ not process.parent.executable like ( Branch count: 60 Document count: 60 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -6188,7 +6188,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 28 Document count: 28 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python process where host.os.type == "macos" and event.action == "exec" and @@ -6204,7 +6204,7 @@ process where host.os.type == "macos" and event.action == "exec" and Branch count: 1 Document count: 1 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -6216,7 +6216,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python event.dataset:kubernetes.audit_logs @@ -6231,7 +6231,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python event.dataset: "kubernetes.audit_logs" @@ -6245,7 +6245,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python event.dataset : "kubernetes.audit_logs" @@ -6261,7 +6261,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python event.dataset : "kubernetes.audit_logs" @@ -6278,7 +6278,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python event.dataset : "kubernetes.audit_logs" @@ -6295,7 +6295,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python event.dataset : "kubernetes.audit_logs" @@ -6312,7 +6312,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python event.dataset : "kubernetes.audit_logs" @@ -6345,7 +6345,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python event.dataset : "kubernetes.audit_logs" @@ -6362,7 +6362,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python event.dataset : "kubernetes.audit_logs" @@ -6379,7 +6379,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python event.dataset : "kubernetes.audit_logs" @@ -6396,7 +6396,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python event.dataset : "kubernetes.audit_logs" @@ -6412,7 +6412,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -6450,7 +6450,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python any where event.action == "File System" and event.code == "4656" and @@ -6485,7 +6485,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python api where host.os.type == "windows" and @@ -6558,7 +6558,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6576,7 +6576,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python sequence by host.id with maxspan=1m @@ -6592,7 +6592,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python sequence by host.id with maxspan=1m @@ -6606,7 +6606,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6621,7 +6621,7 @@ process.args != "1" Branch count: 609 Document count: 609 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python process where host.os.type == "linux" and event.type == "start" and @@ -6683,7 +6683,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 72 Document count: 72 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6697,7 +6697,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 64 Document count: 64 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -6713,7 +6713,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 240 Document count: 240 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6732,7 +6732,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -6750,7 +6750,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 600 Document count: 1200 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python sequence with maxspan=1m @@ -6775,7 +6775,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -6787,7 +6787,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 64 Document count: 64 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("AccessVBOM", "VbaWarnings") and @@ -6822,7 +6822,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 84 Document count: 168 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python sequence by host.id with maxspan=15s @@ -6836,7 +6836,7 @@ sequence by host.id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com @@ -6848,7 +6848,7 @@ ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.c Branch count: 1 Document count: 1 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com @@ -6860,7 +6860,7 @@ ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmclo Branch count: 2 Document count: 2 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6872,7 +6872,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6884,7 +6884,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python configuration where event.dataset == "github.audit" and event.action == "org.remove_member" @@ -6896,7 +6896,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.rem Branch count: 8 Document count: 8 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -6928,7 +6928,7 @@ file.path : "/etc/update-motd.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -6940,7 +6940,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -6952,7 +6952,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -6964,7 +6964,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -6976,7 +6976,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -6988,7 +6988,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -7000,7 +7000,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -7012,7 +7012,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -7024,7 +7024,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -7036,7 +7036,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -7048,7 +7048,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -7060,7 +7060,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -7073,7 +7073,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -7092,7 +7092,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -7104,7 +7104,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -7119,7 +7119,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -7133,7 +7133,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -7147,7 +7147,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -7159,7 +7159,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -7171,7 +7171,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7185,7 +7185,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7206,7 +7206,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7220,7 +7220,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7253,7 +7253,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -7278,7 +7278,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python event.category: "process" and host.os.type:windows and @@ -7302,7 +7302,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7317,7 +7317,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7331,7 +7331,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7345,7 +7345,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7368,7 +7368,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 28 Document count: 28 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -7418,7 +7418,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 1 Document count: 1 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -7430,7 +7430,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 2 Document count: 2 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7448,7 +7448,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7465,7 +7465,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -7477,7 +7477,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 2 Document count: 2 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7503,7 +7503,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-557 +Index: geneve-ut-0557 ```python event.category:file and host.os.type:linux and event.type:change and @@ -7525,7 +7525,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7547,7 +7547,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 8 Document count: 8 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python registry where host.os.type == "windows" and event.type == "creation" and @@ -7564,7 +7564,7 @@ registry where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -7578,7 +7578,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 2 Document count: 2 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -7590,7 +7590,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 2 Document count: 2 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7613,7 +7613,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python process where event.module == "cloud_defend" and event.type== "start" and @@ -7626,7 +7626,7 @@ process where event.module == "cloud_defend" and event.type== "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7645,7 +7645,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python sequence by process.entity_id with maxspan=30s @@ -7682,7 +7682,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 1 Document count: 2 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python sequence by process.entity_id with maxspan=10m @@ -7700,7 +7700,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -7712,7 +7712,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -7738,7 +7738,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -7764,7 +7764,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -7788,7 +7788,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 2 Document count: 2 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7802,7 +7802,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 210 Document count: 210 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7821,7 +7821,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -7836,7 +7836,7 @@ not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox- Branch count: 560 Document count: 560 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python process where container.id: "*" and event.type== "start" @@ -7859,7 +7859,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 10 Document count: 10 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7873,7 +7873,7 @@ process.args : "*l*" and process.args_count >= 4 Branch count: 3 Document count: 3 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7890,7 +7890,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -7913,7 +7913,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 2 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python sequence by host.id with maxspan=1s @@ -7940,7 +7940,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 16 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by host.id with maxspan=10s @@ -7957,7 +7957,7 @@ sequence by host.id with maxspan=10s Branch count: 1 Document count: 1 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -7976,7 +7976,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python sequence by process.entity_id @@ -7996,7 +7996,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python sequence by process.entity_id @@ -8015,7 +8015,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python sequence by host.id with maxspan=1m @@ -8035,7 +8035,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python sequence by process.entity_id @@ -8060,7 +8060,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python sequence by process.entity_id @@ -8082,7 +8082,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python network where host.os.type == "linux" and event.type == "start" and @@ -8103,7 +8103,7 @@ event.action in ("connection_attempted", "ipv4_connection_attempt_event") and pr Branch count: 2 Document count: 4 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -8134,7 +8134,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8164,7 +8164,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and @@ -8181,7 +8181,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 3 Document count: 3 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8194,7 +8194,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -8206,7 +8206,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -8218,7 +8218,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 1 Document count: 1 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* @@ -8230,7 +8230,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* Branch count: 1 Document count: 1 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" @@ -8242,7 +8242,7 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and Branch count: 1 Document count: 1 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python configuration where event.dataset == "github.audit" and event.action == "org.add_member" @@ -8254,7 +8254,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.add Branch count: 6 Document count: 6 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -8268,7 +8268,7 @@ event.outcome:success Branch count: 4 Document count: 4 -Index: geneve-ut-611 +Index: geneve-ut-0611 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8281,7 +8281,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -8293,7 +8293,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -8307,7 +8307,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -8319,7 +8319,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-617 +Index: geneve-ut-0617 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -8332,7 +8332,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python event.dataset:okta.system and event.category:authentication and @@ -8345,7 +8345,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 10 Document count: 10 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and @@ -8368,7 +8368,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/ Branch count: 2 Document count: 2 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -8380,7 +8380,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -8392,7 +8392,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -8404,7 +8404,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 6 Document count: 6 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8421,7 +8421,7 @@ not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/op Branch count: 36 Document count: 72 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -8436,7 +8436,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 5 Document count: 5 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and @@ -8455,7 +8455,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 2 Document count: 2 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8469,7 +8469,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8481,7 +8481,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8493,7 +8493,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8511,7 +8511,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -8524,7 +8524,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -8539,7 +8539,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 11 Document count: 11 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python process where host.os.type == "macos" and event.type : "start" and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and @@ -8552,7 +8552,7 @@ process where host.os.type == "macos" and event.type : "start" and process.name Branch count: 32 Document count: 32 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -8581,7 +8581,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python process where host.os.type == "macos" and event.type == "start" and @@ -8601,7 +8601,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8620,7 +8620,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-640 +Index: geneve-ut-0640 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8633,7 +8633,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8649,7 +8649,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8675,7 +8675,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8694,7 +8694,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-644 +Index: geneve-ut-0644 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8722,7 +8722,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8737,7 +8737,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8800,7 +8800,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 14 Document count: 14 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python any where host.os.type == "windows" and @@ -8825,7 +8825,7 @@ any where host.os.type == "windows" and Branch count: 3 Document count: 3 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python registry where host.os.type == "windows" and registry.path : ( @@ -8841,7 +8841,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-650 +Index: geneve-ut-0650 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -8859,7 +8859,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -8871,7 +8871,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 16 Document count: 16 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8888,7 +8888,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -8903,7 +8903,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 16 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python sequence by host.id, process.parent.entity_id with maxspan=5m @@ -8920,7 +8920,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python process where host.os.type == "linux" and event.type == "start" and @@ -8940,7 +8940,7 @@ event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "p Branch count: 2 Document count: 6 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python sequence by host.id, user.name with maxspan = 5s @@ -8969,7 +8969,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8982,7 +8982,7 @@ event.type == "change" and file.name : "notify_on_release" Branch count: 1 Document count: 1 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8995,7 +8995,7 @@ event.type == "change" and file.name : "release_agent" Branch count: 63 Document count: 63 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python process where event.type in ("start", "process_started", "info") and @@ -9019,7 +9019,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 12 Document count: 12 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python any where event.action : ("Directory Service Access", "object-operation-performed") and @@ -9054,7 +9054,7 @@ any where event.action : ("Directory Service Access", "object-operation-performe Branch count: 1 Document count: 1 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9072,7 +9072,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9095,7 +9095,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -9149,7 +9149,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python sequence by process.entity_id with maxspan=1m @@ -9167,7 +9167,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python sequence by process.entity_id @@ -9182,7 +9182,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python any where processor.name == "transaction" and @@ -9196,7 +9196,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9217,7 +9217,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9238,7 +9238,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -9263,7 +9263,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-684 +Index: geneve-ut-0684 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9276,7 +9276,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python file where host.os.type == "linux" and event.type != "deletion" and file.path == "/etc/doas.conf" @@ -9288,7 +9288,7 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path == Branch count: 2 Document count: 2 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9301,7 +9301,7 @@ process.parent.name == "proot" Branch count: 12 Document count: 12 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9319,7 +9319,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-688 +Index: geneve-ut-0688 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9332,7 +9332,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 4 -Index: geneve-ut-689 +Index: geneve-ut-0689 ```python sequence by process.entity_id with maxspan=3m @@ -9356,7 +9356,7 @@ sequence by process.entity_id with maxspan=3m Branch count: 42 Document count: 42 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python process where event.type == "start" and host.os.type == "windows" and @@ -9372,7 +9372,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-691 +Index: geneve-ut-0691 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9397,7 +9397,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and @@ -9410,7 +9410,7 @@ process.parent.args == "/etc/rc.local" and process.parent.args == "start" Branch count: 1 Document count: 4 -Index: geneve-ut-694 +Index: geneve-ut-0694 ```python sequence by host.id, user.id with maxspan=1s @@ -9432,7 +9432,7 @@ sequence by host.id, user.id with maxspan=1s Branch count: 204 Document count: 204 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9450,7 +9450,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-698 +Index: geneve-ut-0698 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9463,7 +9463,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9476,7 +9476,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9489,7 +9489,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9504,7 +9504,7 @@ not process.parent.command_line like "/opt/cloudlinux/*" Branch count: 60 Document count: 120 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python sequence by host.id with maxspan=1m @@ -9540,7 +9540,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python event.category:process and host.os.type:macos and event.type:start and @@ -9553,7 +9553,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9571,7 +9571,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -9585,7 +9585,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-710 +Index: geneve-ut-0710 ```python sequence by host.id with maxspan=30s @@ -9604,7 +9604,7 @@ sequence by host.id with maxspan=30s Branch count: 4 Document count: 4 -Index: geneve-ut-711 +Index: geneve-ut-0711 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9617,7 +9617,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 3 Document count: 6 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python sequence by host.id, process.parent.name with maxspan=1m @@ -9633,7 +9633,7 @@ sequence by host.id, process.parent.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9646,7 +9646,7 @@ process.name == "unshadow" and process.args_count >= 3 Branch count: 168 Document count: 168 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9676,7 +9676,7 @@ process.name in~ ( Branch count: 1 Document count: 10 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -9694,7 +9694,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 458 Document count: 458 -Index: geneve-ut-717 +Index: geneve-ut-0717 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9722,7 +9722,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9741,7 +9741,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python process where host.os.type == "windows" and @@ -9879,7 +9879,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python process where host.os.type == "windows" and @@ -9950,7 +9950,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python library where host.os.type == "windows" and event.action == "load" and @@ -9967,7 +9967,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 14 Document count: 14 -Index: geneve-ut-725 +Index: geneve-ut-0725 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9993,7 +9993,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-727 +Index: geneve-ut-0727 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -10005,7 +10005,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10046,7 +10046,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( @@ -10060,7 +10060,7 @@ network where process.name : ("http", "https") and destination.port not in (80, Branch count: 4 Document count: 8 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python sequence by process.entity_id with maxspan=1m @@ -10088,7 +10088,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -10129,7 +10129,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 2 Document count: 2 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python network where host.os.type == "windows" and @@ -10155,7 +10155,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10168,7 +10168,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 85 Document count: 85 -Index: geneve-ut-740 +Index: geneve-ut-0740 ```python file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and @@ -10238,7 +10238,7 @@ file.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10252,7 +10252,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-742 +Index: geneve-ut-0742 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10265,7 +10265,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10289,7 +10289,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-744 +Index: geneve-ut-0744 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10309,7 +10309,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 45 Document count: 45 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python host.os.type:windows and event.category:process and @@ -10346,7 +10346,7 @@ host.os.type:windows and event.category:process and Branch count: 696 Document count: 696 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python event.category:process and host.os.type:windows and @@ -10539,7 +10539,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -10555,7 +10555,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-750 +Index: geneve-ut-0750 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -10569,7 +10569,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-751 +Index: geneve-ut-0751 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10586,7 +10586,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-752 +Index: geneve-ut-0752 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -10600,7 +10600,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-753 +Index: geneve-ut-0753 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -10616,7 +10616,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-757 +Index: geneve-ut-0757 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -10632,7 +10632,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -10644,7 +10644,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -10660,7 +10660,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python sequence by host.id with maxspan=1m @@ -10680,7 +10680,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -10692,7 +10692,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python iam where event.action == "renamed-user-account" and @@ -10706,7 +10706,7 @@ iam where event.action == "renamed-user-account" and Branch count: 18 Document count: 18 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python process where host.os.type == "windows" and event.action == "start" and @@ -10729,7 +10729,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python sequence by host.id, process.entity_id with maxspan=3s @@ -10750,7 +10750,7 @@ sequence by host.id, process.entity_id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python process where host.os.type == "linux" and event.type == "start" and @@ -10763,7 +10763,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-775 +Index: geneve-ut-0775 ```python file where host.os.type == "windows" and @@ -10778,7 +10778,7 @@ file where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python /* Identifies the modification of RDP Shadow registry or @@ -10806,7 +10806,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-777 +Index: geneve-ut-0777 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10821,7 +10821,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python sequence with maxspan=1m @@ -10863,7 +10863,7 @@ sequence with maxspan=1m Branch count: 864 Document count: 1728 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python sequence by host.id with maxspan=5s @@ -10883,7 +10883,7 @@ sequence by host.id with maxspan=5s Branch count: 80 Document count: 80 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python process where event.type in ("start", "process_started") and @@ -10904,7 +10904,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 32 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10918,7 +10918,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 432 Document count: 864 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -10938,7 +10938,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 288 Document count: 576 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python sequence by host.id with maxspan=5s @@ -10967,7 +10967,7 @@ sequence by host.id with maxspan=5s Branch count: 40 Document count: 40 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10983,7 +10983,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-789 +Index: geneve-ut-0789 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -10995,7 +10995,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 2 Document count: 2 -Index: geneve-ut-790 +Index: geneve-ut-0790 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -11009,7 +11009,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 32 Document count: 96 -Index: geneve-ut-792 +Index: geneve-ut-0792 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -11037,7 +11037,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-793 +Index: geneve-ut-0793 ```python sequence by host.id with maxspan=1s @@ -11059,7 +11059,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 8 -Index: geneve-ut-797 +Index: geneve-ut-0797 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -11088,7 +11088,7 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( Branch count: 4 Document count: 4 -Index: geneve-ut-798 +Index: geneve-ut-0798 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11101,7 +11101,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-799 +Index: geneve-ut-0799 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -11117,7 +11117,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-800 +Index: geneve-ut-0800 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -11131,7 +11131,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-801 +Index: geneve-ut-0801 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -11161,7 +11161,7 @@ file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-802 +Index: geneve-ut-0802 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11174,7 +11174,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-803 +Index: geneve-ut-0803 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -11190,7 +11190,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-804 +Index: geneve-ut-0804 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11207,7 +11207,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-805 +Index: geneve-ut-0805 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -11220,7 +11220,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 4 Document count: 4 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and @@ -11237,7 +11237,7 @@ process.executable : ( Branch count: 8 Document count: 16 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -11253,7 +11253,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-812 +Index: geneve-ut-0812 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11270,7 +11270,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 16 -Index: geneve-ut-813 +Index: geneve-ut-0813 ```python sequence by okta.actor.id with maxspan=10m @@ -11290,7 +11290,7 @@ sequence by okta.actor.id with maxspan=10m Branch count: 72 Document count: 72 -Index: geneve-ut-814 +Index: geneve-ut-0814 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11306,7 +11306,7 @@ process.parent.name in ("screen", "tmux") and process.name like ( Branch count: 21 Document count: 21 -Index: geneve-ut-815 +Index: geneve-ut-0815 ```python event.category:process and host.os.type:windows and @@ -11331,7 +11331,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-817 +Index: geneve-ut-0817 ```python event.category:process and host.os.type:windows and @@ -11350,7 +11350,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-819 +Index: geneve-ut-0819 ```python event.category:process and host.os.type:windows and @@ -11373,7 +11373,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -11385,7 +11385,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python event.category:process and host.os.type:windows and @@ -11409,7 +11409,7 @@ event.category:process and host.os.type:windows and Branch count: 6 Document count: 6 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11426,7 +11426,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 80 Document count: 80 -Index: geneve-ut-839 +Index: geneve-ut-0839 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "lp" and @@ -11446,7 +11446,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 4 Document count: 8 -Index: geneve-ut-842 +Index: geneve-ut-0842 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -11479,7 +11479,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 2 Document count: 4 -Index: geneve-ut-843 +Index: geneve-ut-0843 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=1m @@ -11496,7 +11496,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=1m Branch count: 4 Document count: 4 -Index: geneve-ut-844 +Index: geneve-ut-0844 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11510,7 +11510,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-845 +Index: geneve-ut-0845 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -11524,7 +11524,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-846 +Index: geneve-ut-0846 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -11537,7 +11537,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 426 Document count: 426 -Index: geneve-ut-847 +Index: geneve-ut-0847 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -11580,7 +11580,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 20 Document count: 20 -Index: geneve-ut-848 +Index: geneve-ut-0848 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11606,7 +11606,7 @@ registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-849 +Index: geneve-ut-0849 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -11623,7 +11623,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-852 +Index: geneve-ut-0852 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11637,7 +11637,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-853 +Index: geneve-ut-0853 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11651,7 +11651,7 @@ user.id != "0" Branch count: 2 Document count: 2 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11668,7 +11668,7 @@ process.name == "setcap" and not ( Branch count: 96 Document count: 96 -Index: geneve-ut-856 +Index: geneve-ut-0856 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -11743,7 +11743,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-857 +Index: geneve-ut-0857 ```python sequence by winlog.computer_name with maxspan=1m @@ -11764,7 +11764,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11783,7 +11783,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-859 +Index: geneve-ut-0859 ```python process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( @@ -11798,7 +11798,7 @@ not process.parent.name in ("amazon-ssm-agent", "snap") Branch count: 66 Document count: 66 -Index: geneve-ut-860 +Index: geneve-ut-0860 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11851,7 +11851,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-861 +Index: geneve-ut-0861 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11863,7 +11863,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-862 +Index: geneve-ut-0862 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11875,7 +11875,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-863 +Index: geneve-ut-0863 ```python process where host.os.type == "windows" and process.name: "MSBuild.exe" and @@ -11888,7 +11888,7 @@ process where host.os.type == "windows" and process.name: "MSBuild.exe" and Branch count: 114 Document count: 114 -Index: geneve-ut-864 +Index: geneve-ut-0864 ```python process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and @@ -11931,7 +11931,7 @@ not ( Branch count: 72 Document count: 144 -Index: geneve-ut-866 +Index: geneve-ut-0866 ```python sequence by host.id with maxspan=5s @@ -11979,7 +11979,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 4 -Index: geneve-ut-867 +Index: geneve-ut-0867 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -11992,7 +11992,7 @@ process.name : "* " Branch count: 4 Document count: 4 -Index: geneve-ut-868 +Index: geneve-ut-0868 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12029,7 +12029,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-869 +Index: geneve-ut-0869 ```python process where event.action == "exec" and host.os.type == "macos" and @@ -12049,7 +12049,7 @@ process where event.action == "exec" and host.os.type == "macos" and Branch count: 4 Document count: 4 -Index: geneve-ut-870 +Index: geneve-ut-0870 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -12062,7 +12062,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-871 +Index: geneve-ut-0871 ```python sequence by process.entity_id @@ -12086,7 +12086,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-872 +Index: geneve-ut-0872 ```python file where event.action == "extended_attributes_delete" and host.os.type == "macos" and process.executable != null and @@ -12105,7 +12105,7 @@ file.path : "/private/var/folders/*" Branch count: 6 Document count: 6 -Index: geneve-ut-875 +Index: geneve-ut-0875 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12129,7 +12129,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 8 -Index: geneve-ut-876 +Index: geneve-ut-0876 ```python sequence by process.entity_id with maxspan=1m @@ -12144,7 +12144,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-880 +Index: geneve-ut-0880 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -12156,7 +12156,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-881 +Index: geneve-ut-0881 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -12168,7 +12168,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 3 Document count: 3 -Index: geneve-ut-887 +Index: geneve-ut-0887 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12185,7 +12185,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-888 +Index: geneve-ut-0888 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12215,7 +12215,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 18 Document count: 18 -Index: geneve-ut-890 +Index: geneve-ut-0890 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12230,7 +12230,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-891 +Index: geneve-ut-0891 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12249,7 +12249,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 13 Document count: 13 -Index: geneve-ut-893 +Index: geneve-ut-0893 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12266,7 +12266,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-894 +Index: geneve-ut-0894 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -12289,7 +12289,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-895 +Index: geneve-ut-0895 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12303,7 +12303,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-896 +Index: geneve-ut-0896 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12317,7 +12317,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-897 +Index: geneve-ut-0897 ```python sequence by process.entity_id with maxspan=30s @@ -12341,7 +12341,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-898 +Index: geneve-ut-0898 ```python sequence by host.id, process.entity_id @@ -12357,7 +12357,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-899 +Index: geneve-ut-0899 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12372,7 +12372,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-900 +Index: geneve-ut-0900 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -12392,7 +12392,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 1 Document count: 1 -Index: geneve-ut-901 +Index: geneve-ut-0901 ```python iam where event.action == "scheduled-task-created" and @@ -12405,7 +12405,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 2 -Index: geneve-ut-903 +Index: geneve-ut-0903 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -12447,7 +12447,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-904 +Index: geneve-ut-0904 ```python sequence with maxspan=1m @@ -12470,7 +12470,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-905 +Index: geneve-ut-0905 ```python sequence with maxspan=1s @@ -12518,7 +12518,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-906 +Index: geneve-ut-0906 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12531,7 +12531,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-908 +Index: geneve-ut-0908 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12551,7 +12551,7 @@ process.name in ("update-ca-trust", "update-ca-certificates") and not ( Branch count: 2 Document count: 4 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=30s @@ -12568,7 +12568,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=30s Branch count: 48 Document count: 48 -Index: geneve-ut-910 +Index: geneve-ut-0910 ```python (event.dataset: (network_traffic.http or network_traffic.tls) or @@ -12615,7 +12615,7 @@ Index: geneve-ut-910 Branch count: 1 Document count: 1 -Index: geneve-ut-911 +Index: geneve-ut-0911 ```python event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com @@ -12628,7 +12628,7 @@ event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com Branch count: 4 Document count: 4 -Index: geneve-ut-912 +Index: geneve-ut-0912 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") @@ -12641,7 +12641,7 @@ and file.path : "/etc/selinux/config" Branch count: 32 Document count: 32 -Index: geneve-ut-913 +Index: geneve-ut-0913 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and @@ -12662,7 +12662,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-916 +Index: geneve-ut-0916 ```python (event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 @@ -12674,7 +12674,7 @@ Index: geneve-ut-916 Branch count: 6 Document count: 6 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python file where container.id:"*" and @@ -12687,7 +12687,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-919 +Index: geneve-ut-0919 ```python process where container.id: "*" and event.type == "start" and @@ -12708,7 +12708,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-920 +Index: geneve-ut-0920 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and @@ -12722,7 +12722,7 @@ not file.name : "known_hosts.*" Branch count: 6 Document count: 6 -Index: geneve-ut-921 +Index: geneve-ut-0921 ```python process where container.id: "*" and event.type== "start" and @@ -12736,7 +12736,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 2 Document count: 2 -Index: geneve-ut-922 +Index: geneve-ut-0922 ```python file where host.os.type == "linux" and event.type == "deletion" and file.path : "/etc/ssl/certs/*" and @@ -12749,7 +12749,7 @@ file.extension in ("pem", "crt") and not process.name in ("dockerd", "pacman") Branch count: 36 Document count: 36 -Index: geneve-ut-925 +Index: geneve-ut-0925 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12767,7 +12767,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-927 +Index: geneve-ut-0927 ```python sequence by host.id with maxspan = 30s @@ -12788,7 +12788,7 @@ sequence by host.id with maxspan = 30s Branch count: 6 Document count: 6 -Index: geneve-ut-929 +Index: geneve-ut-0929 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12805,7 +12805,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-930 +Index: geneve-ut-0930 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12820,7 +12820,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 27 Document count: 27 -Index: geneve-ut-931 +Index: geneve-ut-0931 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -12861,7 +12861,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-933 +Index: geneve-ut-0933 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -12895,7 +12895,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-934 +Index: geneve-ut-0934 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12909,7 +12909,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 112 Document count: 112 -Index: geneve-ut-935 +Index: geneve-ut-0935 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12929,7 +12929,7 @@ process.args like ( Branch count: 2 Document count: 2 -Index: geneve-ut-936 +Index: geneve-ut-0936 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12943,7 +12943,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 116 Document count: 116 -Index: geneve-ut-937 +Index: geneve-ut-0937 ```python process where event.type == "start" and @@ -13004,7 +13004,7 @@ process.name : "grep" and user.id != "0" and Branch count: 270 Document count: 270 -Index: geneve-ut-940 +Index: geneve-ut-0940 ```python process where container.id: "*" and event.type== "start" and @@ -13047,7 +13047,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-941 +Index: geneve-ut-0941 ```python process where container.id: "*" and event.type== "start" and @@ -13071,7 +13071,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-942 +Index: geneve-ut-0942 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -13084,7 +13084,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 6 Document count: 6 -Index: geneve-ut-943 +Index: geneve-ut-0943 ```python file where host.os.type == "windows" and @@ -13105,7 +13105,7 @@ file where host.os.type == "windows" and Branch count: 16 Document count: 32 -Index: geneve-ut-944 +Index: geneve-ut-0944 ```python sequence by process.entity_id with maxspan = 1m @@ -13122,7 +13122,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-945 +Index: geneve-ut-0945 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -13142,7 +13142,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-946 +Index: geneve-ut-0946 ```python sequence by winlog.computer_name with maxspan=5m @@ -13166,7 +13166,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-947 +Index: geneve-ut-0947 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13181,7 +13181,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-948 +Index: geneve-ut-0948 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13202,7 +13202,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-949 +Index: geneve-ut-0949 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13225,7 +13225,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-950 +Index: geneve-ut-0950 ```python process where event.type == "start" and process.name : "sc.exe" and @@ -13238,7 +13238,7 @@ process where event.type == "start" and process.name : "sc.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-951 +Index: geneve-ut-0951 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -13254,7 +13254,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-952 +Index: geneve-ut-0952 ```python file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and @@ -13267,7 +13267,7 @@ file.path == "/etc/shadow" and file.Ext.original.path != null Branch count: 1 Document count: 1 -Index: geneve-ut-953 +Index: geneve-ut-0953 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -13279,7 +13279,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 264 Document count: 264 -Index: geneve-ut-955 +Index: geneve-ut-0955 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( @@ -13327,7 +13327,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an Branch count: 72 Document count: 144 -Index: geneve-ut-956 +Index: geneve-ut-0956 ```python sequence by host.id with maxspan=5s @@ -13341,7 +13341,7 @@ sequence by host.id with maxspan=5s Branch count: 162 Document count: 162 -Index: geneve-ut-957 +Index: geneve-ut-0957 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -13363,7 +13363,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-958 +Index: geneve-ut-0958 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13382,7 +13382,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-959 +Index: geneve-ut-0959 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13396,7 +13396,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 42 Document count: 42 -Index: geneve-ut-960 +Index: geneve-ut-0960 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Start" and @@ -13423,7 +13423,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 12 Document count: 24 -Index: geneve-ut-974 +Index: geneve-ut-0974 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -13448,7 +13448,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-975 +Index: geneve-ut-0975 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13481,7 +13481,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-978 +Index: geneve-ut-0978 ```python beacon_stats.is_beaconing: true and @@ -13499,7 +13499,7 @@ not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or " Branch count: 1 Document count: 1 -Index: geneve-ut-979 +Index: geneve-ut-0979 ```python beacon_stats.beaconing_score: 3 @@ -13511,7 +13511,7 @@ beacon_stats.beaconing_score: 3 Branch count: 2 Document count: 6 -Index: geneve-ut-980 +Index: geneve-ut-0980 ```python sequence by user.name with maxspan=12h @@ -13526,7 +13526,7 @@ sequence by user.name with maxspan=12h Branch count: 4 Document count: 4 -Index: geneve-ut-981 +Index: geneve-ut-0981 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -13551,7 +13551,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-983 +Index: geneve-ut-0983 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13566,7 +13566,7 @@ not process.args == "dpkg" Branch count: 16 Document count: 16 -Index: geneve-ut-986 +Index: geneve-ut-0986 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13580,7 +13580,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-987 +Index: geneve-ut-0987 ```python event.category:process and host.os.type:windows and @@ -13611,7 +13611,7 @@ event.category:process and host.os.type:windows and Branch count: 16 Document count: 16 -Index: geneve-ut-988 +Index: geneve-ut-0988 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13626,7 +13626,7 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en Branch count: 152 Document count: 304 -Index: geneve-ut-989 +Index: geneve-ut-0989 ```python sequence by host.id with maxspan=5s @@ -13648,7 +13648,7 @@ sequence by host.id with maxspan=5s Branch count: 8 Document count: 16 -Index: geneve-ut-990 +Index: geneve-ut-0990 ```python sequence by host.id with maxspan=5s @@ -13675,7 +13675,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-992 +Index: geneve-ut-0992 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -13687,7 +13687,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 4 Document count: 4 -Index: geneve-ut-993 +Index: geneve-ut-0993 ```python file where host.os.type == "windows" and event.type != "deletion" and file.path != null and @@ -13719,7 +13719,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path Branch count: 2 Document count: 4 -Index: geneve-ut-994 +Index: geneve-ut-0994 ```python sequence by host.id with maxspan=30s @@ -13733,7 +13733,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-995 +Index: geneve-ut-0995 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13765,7 +13765,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-996 +Index: geneve-ut-0996 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -13789,7 +13789,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-997 +Index: geneve-ut-0997 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13803,7 +13803,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-998 +Index: geneve-ut-0998 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13826,7 +13826,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-999 +Index: geneve-ut-0999 ```python process where host.os.type == "windows" and event.type == "start" and diff --git a/tests/reports/alerts_from_rules-8.16.md b/tests/reports/alerts_from_rules-8.16.md index b4edb7c8..0c2c413a 100644 --- a/tests/reports/alerts_from_rules-8.16.md +++ b/tests/reports/alerts_from_rules-8.16.md @@ -19,7 +19,7 @@ Rules version: 8.16.1 Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python sequence by host.id, user.id with maxspan=1m @@ -44,7 +44,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -63,7 +63,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -82,7 +82,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -142,7 +142,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -159,7 +159,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 8748 Document count: 17496 -Index: geneve-ut-892 +Index: geneve-ut-0892 ```python sequence with maxspan=1m @@ -264,7 +264,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -277,7 +277,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -290,7 +290,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4 Document count: 8 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -310,7 +310,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 Failure message(s): got 1000 signals, expected 4608 @@ -337,7 +337,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 Failure message(s): got 1000 signals, expected 1024 @@ -358,7 +358,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 Failure message(s): got 1000 signals, expected 1024 @@ -379,7 +379,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 6 Document count: 12 -Index: geneve-ut-754 +Index: geneve-ut-0754 Failure message(s): got 5 signals, expected 6 @@ -396,7 +396,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 Failure message(s): got 1000 signals, expected 1794 @@ -458,7 +458,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 Failure message(s): got 1000 signals, expected 2048 @@ -477,7 +477,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 32 Document count: 64 -Index: geneve-ut-841 +Index: geneve-ut-0841 Failure message(s): got 24 signals, expected 32 @@ -502,7 +502,7 @@ sequence by host.id, process.pid with maxspan=1s Branch count: 8748 Document count: 17496 -Index: geneve-ut-892 +Index: geneve-ut-0892 Failure message(s): got 1000 signals, expected 8748 @@ -632,7 +632,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -659,7 +659,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -689,7 +689,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 8 Document count: 8 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -725,7 +725,7 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -737,7 +737,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail @@ -752,7 +752,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -764,7 +764,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -776,7 +776,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -788,7 +788,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -800,7 +800,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -812,7 +812,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -827,7 +827,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -839,7 +839,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python process where event.module == "cloud_defend" and @@ -856,7 +856,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -869,7 +869,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -881,7 +881,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -895,7 +895,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset: aws.cloudtrail @@ -910,7 +910,7 @@ event.dataset: aws.cloudtrail Branch count: 2 Document count: 2 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -922,7 +922,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -934,7 +934,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 6 Document count: 6 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset: "aws.cloudtrail" @@ -955,7 +955,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -967,7 +967,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -979,7 +979,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-033 +Index: geneve-ut-0033 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -992,7 +992,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -1005,7 +1005,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -1019,7 +1019,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -1032,7 +1032,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -1044,7 +1044,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -1056,7 +1056,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -1068,7 +1068,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -1080,7 +1080,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -1092,7 +1092,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" @@ -1105,7 +1105,7 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -1117,7 +1117,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail @@ -1132,7 +1132,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset: aws.cloudtrail @@ -1148,7 +1148,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail @@ -1163,7 +1163,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -1175,7 +1175,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -1187,7 +1187,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-057 +Index: geneve-ut-0057 ```python event.dataset: "aws.cloudtrail" @@ -1202,7 +1202,7 @@ event.dataset: "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python event.dataset: aws.cloudtrail @@ -1217,7 +1217,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -1229,7 +1229,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -1241,7 +1241,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python any where event.dataset == "aws.cloudtrail" @@ -1256,7 +1256,7 @@ any where event.dataset == "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" @@ -1269,7 +1269,7 @@ event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -1281,7 +1281,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -1293,7 +1293,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -1305,7 +1305,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -1317,7 +1317,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -1329,7 +1329,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -1341,7 +1341,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-076 +Index: geneve-ut-0076 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -1356,7 +1356,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-077 +Index: geneve-ut-0077 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -1368,7 +1368,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-078 +Index: geneve-ut-0078 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -1380,7 +1380,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-079 +Index: geneve-ut-0079 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1393,7 +1393,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1406,7 +1406,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1419,7 +1419,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1434,7 +1434,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1447,7 +1447,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1459,7 +1459,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1471,7 +1471,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1483,7 +1483,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1499,7 +1499,7 @@ Index: geneve-ut-108 Branch count: 4 Document count: 4 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python process where host.os.type == "linux" and event.type == "start" and @@ -1516,7 +1516,7 @@ process.name == "setfacl" and not ( Branch count: 12 Document count: 12 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1561,7 +1561,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 8 Document count: 8 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and @@ -1596,7 +1596,7 @@ any where event.action in ("Directory Service Access", "object-operation-perform Branch count: 4 Document count: 4 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1613,7 +1613,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1633,7 +1633,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python sequence by winlog.computer_name with maxspan=1m @@ -1661,7 +1661,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 48 Document count: 48 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -1679,7 +1679,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 1 Document count: 1 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python iam where winlog.api == "wineventlog" and event.code == "4728" and @@ -1695,7 +1695,7 @@ not group.id : "S-1-5-21-*-513" Branch count: 36 Document count: 36 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1715,7 +1715,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1729,7 +1729,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and @@ -1742,7 +1742,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 1 Document count: 1 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1754,7 +1754,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1766,7 +1766,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1781,7 +1781,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1793,7 +1793,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.agent_id_status:(agent_id_mismatch or mismatch) @@ -1805,7 +1805,7 @@ event.agent_id_status:(agent_id_mismatch or mismatch) Branch count: 1 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1824,7 +1824,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1840,7 +1840,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1852,7 +1852,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1867,7 +1867,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 8 Document count: 8 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python file where host.os.type == "linux" and @@ -1897,7 +1897,7 @@ event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/* Branch count: 1 Document count: 1 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1909,7 +1909,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 4 Document count: 4 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -1922,7 +1922,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1934,7 +1934,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1946,7 +1946,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1958,7 +1958,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1970,7 +1970,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1982,7 +1982,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1994,7 +1994,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.dataset:okta.system and event.action:zone.delete @@ -2006,7 +2006,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -2018,7 +2018,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -2030,7 +2030,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 20 Document count: 20 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -2047,7 +2047,7 @@ process.args in ("auditd", "auditd.service") Branch count: 2 Document count: 2 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2060,7 +2060,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 74 Document count: 74 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2088,7 +2088,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2104,7 +2104,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2117,7 +2117,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2131,7 +2131,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 10 Document count: 10 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2154,7 +2154,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2169,7 +2169,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -2181,7 +2181,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -2193,7 +2193,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -2205,7 +2205,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -2217,7 +2217,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -2236,7 +2236,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -2248,7 +2248,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -2260,7 +2260,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2273,7 +2273,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -2285,7 +2285,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 3 Document count: 3 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2315,7 +2315,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -2330,7 +2330,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2344,7 +2344,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python event.dataset:azure.signinlogs and @@ -2358,7 +2358,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python event.dataset:azure.signinlogs and @@ -2371,7 +2371,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.dataset:azure.signinlogs and @@ -2385,7 +2385,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -2398,7 +2398,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -2410,7 +2410,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -2422,7 +2422,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python event.dataset:azure.activitylogs and @@ -2441,7 +2441,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python event.dataset:azure.activitylogs and @@ -2455,7 +2455,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python event.dataset:azure.activitylogs and @@ -2473,7 +2473,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2485,7 +2485,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2500,7 +2500,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2512,7 +2512,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2525,7 +2525,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2537,7 +2537,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2549,7 +2549,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2561,7 +2561,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -2573,7 +2573,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 2 Document count: 2 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2585,7 +2585,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2597,7 +2597,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2615,7 +2615,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2631,7 +2631,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2643,7 +2643,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2656,7 +2656,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2669,7 +2669,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2684,7 +2684,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2696,7 +2696,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2708,7 +2708,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2720,7 +2720,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2732,7 +2732,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2744,7 +2744,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2756,7 +2756,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2774,7 +2774,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and @@ -2788,7 +2788,7 @@ not process.parent.executable == "/usr/sbin/libvirtd" Branch count: 16 Document count: 16 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -2802,7 +2802,7 @@ not process.args in ("--help", "--version") Branch count: 9 Document count: 9 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python event.category:file and event.type:change and @@ -2827,7 +2827,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2842,7 +2842,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2857,7 +2857,7 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ Branch count: 13 Document count: 13 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2879,7 +2879,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python file where host.os.type == "windows" and event.type : "creation" and @@ -2908,7 +2908,7 @@ file where host.os.type == "windows" and event.type : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2929,7 +2929,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2949,7 +2949,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 36 Document count: 36 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2970,7 +2970,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2995,7 +2995,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3009,7 +3009,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3027,7 +3027,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -3047,7 +3047,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python sequence by process.entity_id @@ -3070,7 +3070,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3087,7 +3087,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3149,7 +3149,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python library where host.os.type == "windows" and event.action == "load" and @@ -3179,7 +3179,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 24 Document count: 24 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3204,7 +3204,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python sequence by process.entity_id @@ -3225,7 +3225,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python sequence by process.entity_id @@ -3246,7 +3246,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python process where container.id: "*" and event.type== "start" @@ -3259,7 +3259,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python event.kind:alert and event.module:cloud_defend @@ -3271,7 +3271,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 12 Document count: 12 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3294,7 +3294,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3314,7 +3314,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -3327,7 +3327,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and @@ -3340,7 +3340,7 @@ not process.name == "dockerd" Branch count: 2 Document count: 2 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and @@ -3355,7 +3355,7 @@ file.extension == "ko" and not process.name : ( Branch count: 1 Document count: 1 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -3372,7 +3372,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -3386,7 +3386,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 3 Document count: 3 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3403,7 +3403,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -3415,7 +3415,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 12 Document count: 12 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Blob" and @@ -3464,7 +3464,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and @@ -3482,7 +3482,7 @@ file where host.os.type == "windows" and event.type != "deletion" and event.acti Branch count: 8 Document count: 8 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3497,7 +3497,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3509,7 +3509,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3521,7 +3521,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3533,7 +3533,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3545,7 +3545,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 80 Document count: 80 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python file where host.os.type == "linux" and @@ -3587,7 +3587,7 @@ event.action in ("rename", "creation") and file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3607,7 +3607,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 128 Document count: 128 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3629,7 +3629,7 @@ process.name == "curl" and ( Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -3641,7 +3641,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python event.dataset:cyberarkpas.audit and @@ -3656,7 +3656,7 @@ event.dataset:cyberarkpas.audit and Branch count: 16 Document count: 16 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -3687,7 +3687,7 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* Branch count: 3 Document count: 3 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3703,7 +3703,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 5 Document count: 5 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3721,7 +3721,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -3736,7 +3736,7 @@ Index: geneve-ut-264 Branch count: 2 Document count: 2 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3750,7 +3750,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3764,7 +3764,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "mkdir" and @@ -3778,7 +3778,7 @@ not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir") Branch count: 12 Document count: 12 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3806,7 +3806,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3823,7 +3823,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3848,7 +3848,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3865,7 +3865,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3880,7 +3880,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3892,7 +3892,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3905,7 +3905,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3917,7 +3917,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 10 Document count: 20 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python sequence by process.entity_id with maxspan=1m @@ -3935,7 +3935,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 24 Document count: 24 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -3970,7 +3970,7 @@ not ( Branch count: 12 Document count: 12 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3985,7 +3985,7 @@ not process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewag Branch count: 108 Document count: 108 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python process where host.os.type == "linux" and event.type == "start" and @@ -4001,7 +4001,7 @@ not process.parent.executable == "/usr/share/qemu/init/qemu-kvm-init" Branch count: 12 Document count: 12 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -4015,7 +4015,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 2 Document count: 2 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -4027,7 +4027,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 1 Document count: 2 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python sequence by host.id with maxspan=3s @@ -4050,7 +4050,7 @@ sequence by host.id with maxspan=3s Branch count: 203 Document count: 203 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python process where @@ -4081,7 +4081,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -4094,7 +4094,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4108,7 +4108,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python registry where host.os.type == "windows" and @@ -4122,7 +4122,7 @@ registry where host.os.type == "windows" and Branch count: 16 Document count: 16 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4157,7 +4157,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -4169,7 +4169,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 3 Document count: 3 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python event.dataset:(azure.activitylogs or azure.signinlogs) @@ -4186,7 +4186,7 @@ event.dataset:(azure.activitylogs or azure.signinlogs) Branch count: 2 Document count: 2 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4200,7 +4200,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4219,7 +4219,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4246,7 +4246,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 276 Document count: 276 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -4277,7 +4277,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python event.category:process and host.os.type:windows and @@ -4290,7 +4290,7 @@ event.category:process and host.os.type:windows and Branch count: 378 Document count: 378 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4319,7 +4319,7 @@ process.args : ( Branch count: 64 Document count: 64 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -4347,7 +4347,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4360,7 +4360,7 @@ process.name : ("kworker*", "kthread*") and process.executable != null Branch count: 4 Document count: 8 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python sequence by process.entity_id with maxspan=5m @@ -4380,7 +4380,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 4 Document count: 4 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4404,7 +4404,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 72 Document count: 144 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python sequence with maxspan=2h @@ -4430,7 +4430,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python sequence with maxspan=2h @@ -4455,7 +4455,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -4484,7 +4484,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -4496,7 +4496,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -4519,7 +4519,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python sequence by user.id with maxspan=5s @@ -4534,7 +4534,7 @@ sequence by user.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -4546,7 +4546,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 6 Document count: 6 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4566,7 +4566,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python process where host.os.type == "windows" and event.type : "start" and @@ -4600,7 +4600,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -4612,7 +4612,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4626,7 +4626,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -4639,7 +4639,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4651,7 +4651,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4663,7 +4663,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4677,7 +4677,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -4689,7 +4689,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 1 Document count: 1 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python file where host.os.type == "windows" and event.code : "2" and @@ -4721,7 +4721,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 16 Document count: 32 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python sequence by host.id with maxspan=10s @@ -4738,7 +4738,7 @@ sequence by host.id with maxspan=10s Branch count: 4 Document count: 4 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( @@ -4752,7 +4752,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 20 Document count: 20 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -4768,7 +4768,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -4783,7 +4783,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python process where event.module == "cloud_defend" and @@ -4798,7 +4798,7 @@ process where event.module == "cloud_defend" and Branch count: 375 Document count: 750 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python sequence by process.entity_id @@ -4825,7 +4825,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4846,7 +4846,7 @@ not ( Branch count: 2 Document count: 2 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python process where host.os.type == "linux" and event.type == "start" and process.parent.executable != null and @@ -4865,7 +4865,7 @@ process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and n Branch count: 11 Document count: 11 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4891,7 +4891,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4921,7 +4921,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python event.dataset: google_workspace.alert @@ -4933,7 +4933,7 @@ event.dataset: google_workspace.alert Branch count: 8 Document count: 8 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python registry where host.os.type == "windows" and @@ -4951,7 +4951,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4963,7 +4963,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4975,7 +4975,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4987,7 +4987,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4999,7 +4999,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -5011,7 +5011,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -5023,7 +5023,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -5035,7 +5035,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -5047,7 +5047,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -5059,7 +5059,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -5071,7 +5071,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -5083,7 +5083,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -5095,7 +5095,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -5107,7 +5107,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -5119,7 +5119,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -5131,7 +5131,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -5143,7 +5143,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -5155,7 +5155,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -5167,7 +5167,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -5179,7 +5179,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -5191,7 +5191,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -5203,7 +5203,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -5215,7 +5215,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -5227,7 +5227,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 575 Document count: 575 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ( @@ -5251,7 +5251,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 64 Document count: 128 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python sequence by host.id with maxspan=3s @@ -5269,7 +5269,7 @@ sequence by host.id with maxspan=3s Branch count: 4 Document count: 4 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and @@ -5297,7 +5297,7 @@ file.extension == null and process.executable != null and not ( Branch count: 8 Document count: 16 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python sequence by host.id with maxspan=3s @@ -5322,7 +5322,7 @@ sequence by host.id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" @@ -5334,7 +5334,7 @@ configuration where event.dataset == "github.audit" and github.category == "inte Branch count: 1 Document count: 1 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -5346,7 +5346,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" @@ -5358,7 +5358,7 @@ configuration where event.dataset == "github.audit" and event.action == "persona Branch count: 1 Document count: 1 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python configuration where event.dataset == "github.audit" @@ -5371,7 +5371,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python configuration where event.dataset == "github.audit" and event.action == "repo.create" @@ -5383,7 +5383,7 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr Branch count: 1 Document count: 1 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -5395,7 +5395,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python configuration where event.dataset == "github.audit" and event.action == "org.block_user" @@ -5407,7 +5407,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.blo Branch count: 1 Document count: 1 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -5420,7 +5420,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -5432,7 +5432,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python event.dataset:google_workspace.admin @@ -5448,7 +5448,7 @@ event.dataset:google_workspace.admin Branch count: 1 Document count: 1 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -5461,7 +5461,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -5473,7 +5473,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5486,7 +5486,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -5498,7 +5498,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -5511,7 +5511,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -5528,7 +5528,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -5542,7 +5542,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python sequence by source.user.email with maxspan=3m @@ -5566,7 +5566,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -5587,7 +5587,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5601,7 +5601,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -5613,7 +5613,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -5625,7 +5625,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -5638,7 +5638,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5651,7 +5651,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -5672,7 +5672,7 @@ process.name == "mkdir" and process.parent.executable like ( Branch count: 1 Document count: 1 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags" @@ -5684,7 +5684,7 @@ file where host.os.type == "linux" and event.type == "creation" and process.name Branch count: 1 Document count: 2 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python sequence by process.entity_id with maxspan=5m @@ -5701,7 +5701,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python any where @@ -5730,7 +5730,7 @@ any where Branch count: 12 Document count: 12 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5743,7 +5743,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5758,7 +5758,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -5770,7 +5770,7 @@ Index: geneve-ut-439 Branch count: 8 Document count: 8 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5787,7 +5787,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python sequence with maxspan=1m @@ -5806,7 +5806,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python sequence by host.id with maxspan=1m @@ -5824,7 +5824,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python sequence by host.id with maxspan=5s @@ -5843,7 +5843,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python sequence by host.id with maxspan = 30s @@ -5859,7 +5859,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python sequence by host.id with maxspan=30s @@ -5875,7 +5875,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5888,7 +5888,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python event.dataset: "aws.cloudtrail" @@ -5906,7 +5906,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5919,7 +5919,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -5935,7 +5935,7 @@ sequence by process.entity_id Branch count: 3 Document count: 3 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5958,7 +5958,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5979,7 +5979,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python process where container.id : "*" and event.type== "start" and @@ -6000,7 +6000,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -6013,7 +6013,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6031,7 +6031,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python iam where event.action == "modified-user-account" and event.code == "4738" and @@ -6044,7 +6044,7 @@ iam where event.action == "modified-user-account" and event.code == "4738" and Branch count: 2 Document count: 2 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -6058,7 +6058,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -6117,7 +6117,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -6130,7 +6130,7 @@ auditd.data.syscall in ("init_module", "finit_module") Branch count: 2 Document count: 2 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -6143,7 +6143,7 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" Branch count: 24 Document count: 24 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6157,7 +6157,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" and @@ -6173,7 +6173,7 @@ not process.parent.executable like ( Branch count: 60 Document count: 60 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -6188,7 +6188,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 28 Document count: 28 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python process where host.os.type == "macos" and event.action == "exec" and @@ -6204,7 +6204,7 @@ process where host.os.type == "macos" and event.action == "exec" and Branch count: 1 Document count: 1 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -6216,7 +6216,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python event.dataset:kubernetes.audit_logs @@ -6231,7 +6231,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python event.dataset: "kubernetes.audit_logs" @@ -6245,7 +6245,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python event.dataset : "kubernetes.audit_logs" @@ -6261,7 +6261,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python event.dataset : "kubernetes.audit_logs" @@ -6278,7 +6278,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python event.dataset : "kubernetes.audit_logs" @@ -6295,7 +6295,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python event.dataset : "kubernetes.audit_logs" @@ -6312,7 +6312,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python event.dataset : "kubernetes.audit_logs" @@ -6345,7 +6345,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python event.dataset : "kubernetes.audit_logs" @@ -6362,7 +6362,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python event.dataset : "kubernetes.audit_logs" @@ -6379,7 +6379,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python event.dataset : "kubernetes.audit_logs" @@ -6396,7 +6396,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python event.dataset : "kubernetes.audit_logs" @@ -6412,7 +6412,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -6450,7 +6450,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python any where event.action == "File System" and event.code == "4656" and @@ -6485,7 +6485,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python api where host.os.type == "windows" and @@ -6558,7 +6558,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6576,7 +6576,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python sequence by host.id with maxspan=1m @@ -6592,7 +6592,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python sequence by host.id with maxspan=1m @@ -6606,7 +6606,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6621,7 +6621,7 @@ process.args != "1" Branch count: 609 Document count: 609 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python process where host.os.type == "linux" and event.type == "start" and @@ -6683,7 +6683,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 72 Document count: 72 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6697,7 +6697,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 64 Document count: 64 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -6713,7 +6713,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 240 Document count: 240 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6732,7 +6732,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -6750,7 +6750,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 600 Document count: 1200 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python sequence with maxspan=1m @@ -6775,7 +6775,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -6787,7 +6787,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 64 Document count: 64 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("AccessVBOM", "VbaWarnings") and @@ -6822,7 +6822,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 84 Document count: 168 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python sequence by host.id with maxspan=15s @@ -6836,7 +6836,7 @@ sequence by host.id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com @@ -6848,7 +6848,7 @@ ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.c Branch count: 1 Document count: 1 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com @@ -6860,7 +6860,7 @@ ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmclo Branch count: 2 Document count: 2 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6872,7 +6872,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6884,7 +6884,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python configuration where event.dataset == "github.audit" and event.action == "org.remove_member" @@ -6896,7 +6896,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.rem Branch count: 8 Document count: 8 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -6928,7 +6928,7 @@ file.path : "/etc/update-motd.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -6940,7 +6940,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -6952,7 +6952,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -6964,7 +6964,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -6976,7 +6976,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -6988,7 +6988,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -7000,7 +7000,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -7012,7 +7012,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -7024,7 +7024,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -7036,7 +7036,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -7048,7 +7048,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -7060,7 +7060,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -7073,7 +7073,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -7092,7 +7092,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -7104,7 +7104,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -7119,7 +7119,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -7133,7 +7133,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -7147,7 +7147,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -7159,7 +7159,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -7171,7 +7171,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7185,7 +7185,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7206,7 +7206,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7220,7 +7220,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7253,7 +7253,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -7278,7 +7278,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python event.category: "process" and host.os.type:windows and @@ -7302,7 +7302,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7317,7 +7317,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7331,7 +7331,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7345,7 +7345,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7368,7 +7368,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 28 Document count: 28 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -7418,7 +7418,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 1 Document count: 1 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -7430,7 +7430,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 2 Document count: 2 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7448,7 +7448,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7465,7 +7465,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -7477,7 +7477,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 2 Document count: 2 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7503,7 +7503,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-557 +Index: geneve-ut-0557 ```python event.category:file and host.os.type:linux and event.type:change and @@ -7525,7 +7525,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7547,7 +7547,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 8 Document count: 8 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python registry where host.os.type == "windows" and event.type == "creation" and @@ -7564,7 +7564,7 @@ registry where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -7578,7 +7578,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 2 Document count: 2 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -7590,7 +7590,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 2 Document count: 2 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7613,7 +7613,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python process where event.module == "cloud_defend" and event.type== "start" and @@ -7626,7 +7626,7 @@ process where event.module == "cloud_defend" and event.type== "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7645,7 +7645,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python sequence by process.entity_id with maxspan=30s @@ -7682,7 +7682,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 1 Document count: 2 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python sequence by process.entity_id with maxspan=10m @@ -7700,7 +7700,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -7712,7 +7712,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -7738,7 +7738,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -7764,7 +7764,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -7788,7 +7788,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 2 Document count: 2 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7802,7 +7802,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 210 Document count: 210 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7821,7 +7821,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -7836,7 +7836,7 @@ not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox- Branch count: 560 Document count: 560 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python process where container.id: "*" and event.type== "start" @@ -7859,7 +7859,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 10 Document count: 10 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7873,7 +7873,7 @@ process.args : "*l*" and process.args_count >= 4 Branch count: 3 Document count: 3 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7890,7 +7890,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -7913,7 +7913,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 2 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python sequence by host.id with maxspan=1s @@ -7940,7 +7940,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 16 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by host.id with maxspan=10s @@ -7957,7 +7957,7 @@ sequence by host.id with maxspan=10s Branch count: 1 Document count: 1 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -7976,7 +7976,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python sequence by process.entity_id @@ -7996,7 +7996,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python sequence by process.entity_id @@ -8015,7 +8015,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python sequence by host.id with maxspan=1m @@ -8035,7 +8035,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python sequence by process.entity_id @@ -8060,7 +8060,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python sequence by process.entity_id @@ -8082,7 +8082,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python network where host.os.type == "linux" and event.type == "start" and @@ -8103,7 +8103,7 @@ event.action in ("connection_attempted", "ipv4_connection_attempt_event") and pr Branch count: 2 Document count: 4 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -8134,7 +8134,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8164,7 +8164,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and @@ -8181,7 +8181,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 3 Document count: 3 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8194,7 +8194,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -8206,7 +8206,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -8218,7 +8218,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 1 Document count: 1 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* @@ -8230,7 +8230,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* Branch count: 1 Document count: 1 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" @@ -8242,7 +8242,7 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and Branch count: 1 Document count: 1 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python configuration where event.dataset == "github.audit" and event.action == "org.add_member" @@ -8254,7 +8254,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.add Branch count: 6 Document count: 6 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -8268,7 +8268,7 @@ event.outcome:success Branch count: 4 Document count: 4 -Index: geneve-ut-611 +Index: geneve-ut-0611 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8281,7 +8281,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -8293,7 +8293,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -8307,7 +8307,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -8319,7 +8319,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-617 +Index: geneve-ut-0617 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -8332,7 +8332,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python event.dataset:okta.system and event.category:authentication and @@ -8345,7 +8345,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 10 Document count: 10 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and @@ -8368,7 +8368,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/ Branch count: 2 Document count: 2 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -8380,7 +8380,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -8392,7 +8392,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -8404,7 +8404,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 6 Document count: 6 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8421,7 +8421,7 @@ not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/op Branch count: 36 Document count: 72 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -8436,7 +8436,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 5 Document count: 5 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and @@ -8455,7 +8455,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 2 Document count: 2 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8469,7 +8469,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8481,7 +8481,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8493,7 +8493,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8511,7 +8511,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -8524,7 +8524,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -8539,7 +8539,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 11 Document count: 11 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python process where host.os.type == "macos" and event.type : "start" and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and @@ -8552,7 +8552,7 @@ process where host.os.type == "macos" and event.type : "start" and process.name Branch count: 32 Document count: 32 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -8581,7 +8581,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python process where host.os.type == "macos" and event.type == "start" and @@ -8601,7 +8601,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8620,7 +8620,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-640 +Index: geneve-ut-0640 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8633,7 +8633,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8649,7 +8649,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8675,7 +8675,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8694,7 +8694,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-644 +Index: geneve-ut-0644 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8722,7 +8722,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8737,7 +8737,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8800,7 +8800,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 14 Document count: 14 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python any where host.os.type == "windows" and @@ -8825,7 +8825,7 @@ any where host.os.type == "windows" and Branch count: 3 Document count: 3 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python registry where host.os.type == "windows" and registry.path : ( @@ -8841,7 +8841,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-650 +Index: geneve-ut-0650 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -8859,7 +8859,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -8871,7 +8871,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 16 Document count: 16 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8888,7 +8888,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -8903,7 +8903,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 16 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python sequence by host.id, process.parent.entity_id with maxspan=5m @@ -8920,7 +8920,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python process where host.os.type == "linux" and event.type == "start" and @@ -8940,7 +8940,7 @@ event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "p Branch count: 2 Document count: 6 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python sequence by host.id, user.name with maxspan = 5s @@ -8969,7 +8969,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8982,7 +8982,7 @@ event.type == "change" and file.name : "notify_on_release" Branch count: 1 Document count: 1 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8995,7 +8995,7 @@ event.type == "change" and file.name : "release_agent" Branch count: 63 Document count: 63 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python process where event.type in ("start", "process_started", "info") and @@ -9019,7 +9019,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 12 Document count: 12 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python any where event.action : ("Directory Service Access", "object-operation-performed") and @@ -9054,7 +9054,7 @@ any where event.action : ("Directory Service Access", "object-operation-performe Branch count: 1 Document count: 1 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9072,7 +9072,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9095,7 +9095,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -9149,7 +9149,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python sequence by process.entity_id with maxspan=1m @@ -9167,7 +9167,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python sequence by process.entity_id @@ -9182,7 +9182,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python any where processor.name == "transaction" and @@ -9196,7 +9196,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9217,7 +9217,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9238,7 +9238,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -9263,7 +9263,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-684 +Index: geneve-ut-0684 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9276,7 +9276,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python file where host.os.type == "linux" and event.type != "deletion" and file.path == "/etc/doas.conf" @@ -9288,7 +9288,7 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path == Branch count: 2 Document count: 2 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9301,7 +9301,7 @@ process.parent.name == "proot" Branch count: 12 Document count: 12 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9319,7 +9319,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-688 +Index: geneve-ut-0688 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9332,7 +9332,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 4 -Index: geneve-ut-689 +Index: geneve-ut-0689 ```python sequence by process.entity_id with maxspan=3m @@ -9356,7 +9356,7 @@ sequence by process.entity_id with maxspan=3m Branch count: 42 Document count: 42 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python process where event.type == "start" and host.os.type == "windows" and @@ -9372,7 +9372,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-691 +Index: geneve-ut-0691 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9397,7 +9397,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and @@ -9410,7 +9410,7 @@ process.parent.args == "/etc/rc.local" and process.parent.args == "start" Branch count: 1 Document count: 4 -Index: geneve-ut-694 +Index: geneve-ut-0694 ```python sequence by host.id, user.id with maxspan=1s @@ -9432,7 +9432,7 @@ sequence by host.id, user.id with maxspan=1s Branch count: 204 Document count: 204 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9450,7 +9450,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-698 +Index: geneve-ut-0698 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9463,7 +9463,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9476,7 +9476,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9489,7 +9489,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9504,7 +9504,7 @@ not process.parent.command_line like "/opt/cloudlinux/*" Branch count: 60 Document count: 120 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python sequence by host.id with maxspan=1m @@ -9540,7 +9540,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python event.category:process and host.os.type:macos and event.type:start and @@ -9553,7 +9553,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9571,7 +9571,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -9585,7 +9585,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-710 +Index: geneve-ut-0710 ```python sequence by host.id with maxspan=30s @@ -9604,7 +9604,7 @@ sequence by host.id with maxspan=30s Branch count: 4 Document count: 4 -Index: geneve-ut-711 +Index: geneve-ut-0711 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9617,7 +9617,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 3 Document count: 6 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python sequence by host.id, process.parent.name with maxspan=1m @@ -9633,7 +9633,7 @@ sequence by host.id, process.parent.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9646,7 +9646,7 @@ process.name == "unshadow" and process.args_count >= 3 Branch count: 168 Document count: 168 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9676,7 +9676,7 @@ process.name in~ ( Branch count: 1 Document count: 10 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -9694,7 +9694,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 458 Document count: 458 -Index: geneve-ut-717 +Index: geneve-ut-0717 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9722,7 +9722,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9741,7 +9741,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python process where host.os.type == "windows" and @@ -9879,7 +9879,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python process where host.os.type == "windows" and @@ -9950,7 +9950,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python library where host.os.type == "windows" and event.action == "load" and @@ -9967,7 +9967,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 14 Document count: 14 -Index: geneve-ut-725 +Index: geneve-ut-0725 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9993,7 +9993,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-727 +Index: geneve-ut-0727 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -10005,7 +10005,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10046,7 +10046,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( @@ -10060,7 +10060,7 @@ network where process.name : ("http", "https") and destination.port not in (80, Branch count: 4 Document count: 8 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python sequence by process.entity_id with maxspan=1m @@ -10088,7 +10088,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -10129,7 +10129,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 2 Document count: 2 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python network where host.os.type == "windows" and @@ -10155,7 +10155,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10168,7 +10168,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 85 Document count: 85 -Index: geneve-ut-740 +Index: geneve-ut-0740 ```python file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and @@ -10238,7 +10238,7 @@ file.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10252,7 +10252,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-742 +Index: geneve-ut-0742 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10265,7 +10265,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10289,7 +10289,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-744 +Index: geneve-ut-0744 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10309,7 +10309,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 45 Document count: 45 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python host.os.type:windows and event.category:process and @@ -10346,7 +10346,7 @@ host.os.type:windows and event.category:process and Branch count: 696 Document count: 696 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python event.category:process and host.os.type:windows and @@ -10539,7 +10539,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -10555,7 +10555,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-750 +Index: geneve-ut-0750 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -10569,7 +10569,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-751 +Index: geneve-ut-0751 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10586,7 +10586,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-752 +Index: geneve-ut-0752 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -10600,7 +10600,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-753 +Index: geneve-ut-0753 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -10616,7 +10616,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-757 +Index: geneve-ut-0757 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -10632,7 +10632,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -10644,7 +10644,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -10660,7 +10660,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python sequence by host.id with maxspan=1m @@ -10680,7 +10680,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -10692,7 +10692,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python iam where event.action == "renamed-user-account" and @@ -10706,7 +10706,7 @@ iam where event.action == "renamed-user-account" and Branch count: 18 Document count: 18 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python process where host.os.type == "windows" and event.action == "start" and @@ -10729,7 +10729,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python sequence by host.id, process.entity_id with maxspan=3s @@ -10750,7 +10750,7 @@ sequence by host.id, process.entity_id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python process where host.os.type == "linux" and event.type == "start" and @@ -10763,7 +10763,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-775 +Index: geneve-ut-0775 ```python file where host.os.type == "windows" and @@ -10778,7 +10778,7 @@ file where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python /* Identifies the modification of RDP Shadow registry or @@ -10806,7 +10806,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-777 +Index: geneve-ut-0777 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10821,7 +10821,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python sequence with maxspan=1m @@ -10863,7 +10863,7 @@ sequence with maxspan=1m Branch count: 864 Document count: 1728 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python sequence by host.id with maxspan=5s @@ -10883,7 +10883,7 @@ sequence by host.id with maxspan=5s Branch count: 80 Document count: 80 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python process where event.type in ("start", "process_started") and @@ -10904,7 +10904,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 32 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10918,7 +10918,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 432 Document count: 864 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -10938,7 +10938,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 288 Document count: 576 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python sequence by host.id with maxspan=5s @@ -10967,7 +10967,7 @@ sequence by host.id with maxspan=5s Branch count: 40 Document count: 40 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10983,7 +10983,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-789 +Index: geneve-ut-0789 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -10995,7 +10995,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 2 Document count: 2 -Index: geneve-ut-790 +Index: geneve-ut-0790 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -11009,7 +11009,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 32 Document count: 96 -Index: geneve-ut-792 +Index: geneve-ut-0792 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -11037,7 +11037,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-793 +Index: geneve-ut-0793 ```python sequence by host.id with maxspan=1s @@ -11059,7 +11059,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 8 -Index: geneve-ut-797 +Index: geneve-ut-0797 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -11088,7 +11088,7 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( Branch count: 4 Document count: 4 -Index: geneve-ut-798 +Index: geneve-ut-0798 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11101,7 +11101,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-799 +Index: geneve-ut-0799 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -11117,7 +11117,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-800 +Index: geneve-ut-0800 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -11131,7 +11131,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-801 +Index: geneve-ut-0801 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -11161,7 +11161,7 @@ file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-802 +Index: geneve-ut-0802 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11174,7 +11174,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-803 +Index: geneve-ut-0803 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -11190,7 +11190,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-804 +Index: geneve-ut-0804 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11207,7 +11207,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-805 +Index: geneve-ut-0805 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -11220,7 +11220,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 4 Document count: 4 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and @@ -11237,7 +11237,7 @@ process.executable : ( Branch count: 8 Document count: 16 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -11253,7 +11253,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-812 +Index: geneve-ut-0812 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11270,7 +11270,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 16 -Index: geneve-ut-813 +Index: geneve-ut-0813 ```python sequence by okta.actor.id with maxspan=10m @@ -11290,7 +11290,7 @@ sequence by okta.actor.id with maxspan=10m Branch count: 72 Document count: 72 -Index: geneve-ut-814 +Index: geneve-ut-0814 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11306,7 +11306,7 @@ process.parent.name in ("screen", "tmux") and process.name like ( Branch count: 21 Document count: 21 -Index: geneve-ut-815 +Index: geneve-ut-0815 ```python event.category:process and host.os.type:windows and @@ -11331,7 +11331,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-817 +Index: geneve-ut-0817 ```python event.category:process and host.os.type:windows and @@ -11350,7 +11350,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-819 +Index: geneve-ut-0819 ```python event.category:process and host.os.type:windows and @@ -11373,7 +11373,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -11385,7 +11385,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python event.category:process and host.os.type:windows and @@ -11409,7 +11409,7 @@ event.category:process and host.os.type:windows and Branch count: 6 Document count: 6 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11426,7 +11426,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 80 Document count: 80 -Index: geneve-ut-839 +Index: geneve-ut-0839 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "lp" and @@ -11446,7 +11446,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 4 Document count: 8 -Index: geneve-ut-842 +Index: geneve-ut-0842 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -11479,7 +11479,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 2 Document count: 4 -Index: geneve-ut-843 +Index: geneve-ut-0843 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=1m @@ -11496,7 +11496,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=1m Branch count: 4 Document count: 4 -Index: geneve-ut-844 +Index: geneve-ut-0844 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11510,7 +11510,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-845 +Index: geneve-ut-0845 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -11524,7 +11524,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-846 +Index: geneve-ut-0846 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -11537,7 +11537,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 426 Document count: 426 -Index: geneve-ut-847 +Index: geneve-ut-0847 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -11580,7 +11580,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 20 Document count: 20 -Index: geneve-ut-848 +Index: geneve-ut-0848 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11606,7 +11606,7 @@ registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-849 +Index: geneve-ut-0849 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -11623,7 +11623,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-852 +Index: geneve-ut-0852 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11637,7 +11637,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-853 +Index: geneve-ut-0853 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11651,7 +11651,7 @@ user.id != "0" Branch count: 2 Document count: 2 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11668,7 +11668,7 @@ process.name == "setcap" and not ( Branch count: 96 Document count: 96 -Index: geneve-ut-856 +Index: geneve-ut-0856 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -11743,7 +11743,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-857 +Index: geneve-ut-0857 ```python sequence by winlog.computer_name with maxspan=1m @@ -11764,7 +11764,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11783,7 +11783,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-859 +Index: geneve-ut-0859 ```python process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( @@ -11798,7 +11798,7 @@ not process.parent.name in ("amazon-ssm-agent", "snap") Branch count: 66 Document count: 66 -Index: geneve-ut-860 +Index: geneve-ut-0860 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11851,7 +11851,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-861 +Index: geneve-ut-0861 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11863,7 +11863,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-862 +Index: geneve-ut-0862 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11875,7 +11875,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-863 +Index: geneve-ut-0863 ```python process where host.os.type == "windows" and process.name: "MSBuild.exe" and @@ -11888,7 +11888,7 @@ process where host.os.type == "windows" and process.name: "MSBuild.exe" and Branch count: 114 Document count: 114 -Index: geneve-ut-864 +Index: geneve-ut-0864 ```python process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and @@ -11931,7 +11931,7 @@ not ( Branch count: 72 Document count: 144 -Index: geneve-ut-866 +Index: geneve-ut-0866 ```python sequence by host.id with maxspan=5s @@ -11979,7 +11979,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 4 -Index: geneve-ut-867 +Index: geneve-ut-0867 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -11992,7 +11992,7 @@ process.name : "* " Branch count: 4 Document count: 4 -Index: geneve-ut-868 +Index: geneve-ut-0868 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12029,7 +12029,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-869 +Index: geneve-ut-0869 ```python process where event.action == "exec" and host.os.type == "macos" and @@ -12049,7 +12049,7 @@ process where event.action == "exec" and host.os.type == "macos" and Branch count: 4 Document count: 4 -Index: geneve-ut-870 +Index: geneve-ut-0870 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -12062,7 +12062,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-871 +Index: geneve-ut-0871 ```python sequence by process.entity_id @@ -12086,7 +12086,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-872 +Index: geneve-ut-0872 ```python file where event.action == "extended_attributes_delete" and host.os.type == "macos" and process.executable != null and @@ -12105,7 +12105,7 @@ file.path : "/private/var/folders/*" Branch count: 6 Document count: 6 -Index: geneve-ut-875 +Index: geneve-ut-0875 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12129,7 +12129,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 8 -Index: geneve-ut-876 +Index: geneve-ut-0876 ```python sequence by process.entity_id with maxspan=1m @@ -12144,7 +12144,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-880 +Index: geneve-ut-0880 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -12156,7 +12156,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-881 +Index: geneve-ut-0881 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -12168,7 +12168,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 3 Document count: 3 -Index: geneve-ut-887 +Index: geneve-ut-0887 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12185,7 +12185,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-888 +Index: geneve-ut-0888 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12215,7 +12215,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 18 Document count: 18 -Index: geneve-ut-890 +Index: geneve-ut-0890 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12230,7 +12230,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-891 +Index: geneve-ut-0891 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12249,7 +12249,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 13 Document count: 13 -Index: geneve-ut-893 +Index: geneve-ut-0893 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12266,7 +12266,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-894 +Index: geneve-ut-0894 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -12289,7 +12289,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-895 +Index: geneve-ut-0895 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12303,7 +12303,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-896 +Index: geneve-ut-0896 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12317,7 +12317,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-897 +Index: geneve-ut-0897 ```python sequence by process.entity_id with maxspan=30s @@ -12341,7 +12341,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-898 +Index: geneve-ut-0898 ```python sequence by host.id, process.entity_id @@ -12357,7 +12357,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-899 +Index: geneve-ut-0899 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12372,7 +12372,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-900 +Index: geneve-ut-0900 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -12392,7 +12392,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 1 Document count: 1 -Index: geneve-ut-901 +Index: geneve-ut-0901 ```python iam where event.action == "scheduled-task-created" and @@ -12405,7 +12405,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 2 -Index: geneve-ut-903 +Index: geneve-ut-0903 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -12447,7 +12447,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-904 +Index: geneve-ut-0904 ```python sequence with maxspan=1m @@ -12470,7 +12470,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-905 +Index: geneve-ut-0905 ```python sequence with maxspan=1s @@ -12518,7 +12518,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-906 +Index: geneve-ut-0906 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12531,7 +12531,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-908 +Index: geneve-ut-0908 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12551,7 +12551,7 @@ process.name in ("update-ca-trust", "update-ca-certificates") and not ( Branch count: 2 Document count: 4 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=30s @@ -12568,7 +12568,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=30s Branch count: 48 Document count: 48 -Index: geneve-ut-910 +Index: geneve-ut-0910 ```python (event.dataset: (network_traffic.http or network_traffic.tls) or @@ -12615,7 +12615,7 @@ Index: geneve-ut-910 Branch count: 1 Document count: 1 -Index: geneve-ut-911 +Index: geneve-ut-0911 ```python event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com @@ -12628,7 +12628,7 @@ event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com Branch count: 4 Document count: 4 -Index: geneve-ut-912 +Index: geneve-ut-0912 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") @@ -12641,7 +12641,7 @@ and file.path : "/etc/selinux/config" Branch count: 32 Document count: 32 -Index: geneve-ut-913 +Index: geneve-ut-0913 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and @@ -12662,7 +12662,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-916 +Index: geneve-ut-0916 ```python (event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 @@ -12674,7 +12674,7 @@ Index: geneve-ut-916 Branch count: 6 Document count: 6 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python file where container.id:"*" and @@ -12687,7 +12687,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-919 +Index: geneve-ut-0919 ```python process where container.id: "*" and event.type == "start" and @@ -12708,7 +12708,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-920 +Index: geneve-ut-0920 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and @@ -12722,7 +12722,7 @@ not file.name : "known_hosts.*" Branch count: 6 Document count: 6 -Index: geneve-ut-921 +Index: geneve-ut-0921 ```python process where container.id: "*" and event.type== "start" and @@ -12736,7 +12736,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 2 Document count: 2 -Index: geneve-ut-922 +Index: geneve-ut-0922 ```python file where host.os.type == "linux" and event.type == "deletion" and file.path : "/etc/ssl/certs/*" and @@ -12749,7 +12749,7 @@ file.extension in ("pem", "crt") and not process.name in ("dockerd", "pacman") Branch count: 36 Document count: 36 -Index: geneve-ut-925 +Index: geneve-ut-0925 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12767,7 +12767,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-927 +Index: geneve-ut-0927 ```python sequence by host.id with maxspan = 30s @@ -12788,7 +12788,7 @@ sequence by host.id with maxspan = 30s Branch count: 6 Document count: 6 -Index: geneve-ut-929 +Index: geneve-ut-0929 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12805,7 +12805,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-930 +Index: geneve-ut-0930 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12820,7 +12820,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 27 Document count: 27 -Index: geneve-ut-931 +Index: geneve-ut-0931 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -12861,7 +12861,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-933 +Index: geneve-ut-0933 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -12895,7 +12895,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-934 +Index: geneve-ut-0934 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12909,7 +12909,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 112 Document count: 112 -Index: geneve-ut-935 +Index: geneve-ut-0935 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12929,7 +12929,7 @@ process.args like ( Branch count: 2 Document count: 2 -Index: geneve-ut-936 +Index: geneve-ut-0936 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12943,7 +12943,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 116 Document count: 116 -Index: geneve-ut-937 +Index: geneve-ut-0937 ```python process where event.type == "start" and @@ -13004,7 +13004,7 @@ process.name : "grep" and user.id != "0" and Branch count: 270 Document count: 270 -Index: geneve-ut-940 +Index: geneve-ut-0940 ```python process where container.id: "*" and event.type== "start" and @@ -13047,7 +13047,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-941 +Index: geneve-ut-0941 ```python process where container.id: "*" and event.type== "start" and @@ -13071,7 +13071,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-942 +Index: geneve-ut-0942 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -13084,7 +13084,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 6 Document count: 6 -Index: geneve-ut-943 +Index: geneve-ut-0943 ```python file where host.os.type == "windows" and @@ -13105,7 +13105,7 @@ file where host.os.type == "windows" and Branch count: 16 Document count: 32 -Index: geneve-ut-944 +Index: geneve-ut-0944 ```python sequence by process.entity_id with maxspan = 1m @@ -13122,7 +13122,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-945 +Index: geneve-ut-0945 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -13142,7 +13142,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-946 +Index: geneve-ut-0946 ```python sequence by winlog.computer_name with maxspan=5m @@ -13166,7 +13166,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-947 +Index: geneve-ut-0947 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13181,7 +13181,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-948 +Index: geneve-ut-0948 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13202,7 +13202,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-949 +Index: geneve-ut-0949 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13225,7 +13225,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-950 +Index: geneve-ut-0950 ```python process where event.type == "start" and process.name : "sc.exe" and @@ -13238,7 +13238,7 @@ process where event.type == "start" and process.name : "sc.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-951 +Index: geneve-ut-0951 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -13254,7 +13254,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-952 +Index: geneve-ut-0952 ```python file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and @@ -13267,7 +13267,7 @@ file.path == "/etc/shadow" and file.Ext.original.path != null Branch count: 1 Document count: 1 -Index: geneve-ut-953 +Index: geneve-ut-0953 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -13279,7 +13279,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 264 Document count: 264 -Index: geneve-ut-955 +Index: geneve-ut-0955 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( @@ -13327,7 +13327,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an Branch count: 72 Document count: 144 -Index: geneve-ut-956 +Index: geneve-ut-0956 ```python sequence by host.id with maxspan=5s @@ -13341,7 +13341,7 @@ sequence by host.id with maxspan=5s Branch count: 162 Document count: 162 -Index: geneve-ut-957 +Index: geneve-ut-0957 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -13363,7 +13363,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-958 +Index: geneve-ut-0958 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13382,7 +13382,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-959 +Index: geneve-ut-0959 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13396,7 +13396,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 42 Document count: 42 -Index: geneve-ut-960 +Index: geneve-ut-0960 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Start" and @@ -13423,7 +13423,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 12 Document count: 24 -Index: geneve-ut-974 +Index: geneve-ut-0974 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -13448,7 +13448,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-975 +Index: geneve-ut-0975 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13481,7 +13481,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-978 +Index: geneve-ut-0978 ```python beacon_stats.is_beaconing: true and @@ -13499,7 +13499,7 @@ not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or " Branch count: 1 Document count: 1 -Index: geneve-ut-979 +Index: geneve-ut-0979 ```python beacon_stats.beaconing_score: 3 @@ -13511,7 +13511,7 @@ beacon_stats.beaconing_score: 3 Branch count: 2 Document count: 6 -Index: geneve-ut-980 +Index: geneve-ut-0980 ```python sequence by user.name with maxspan=12h @@ -13526,7 +13526,7 @@ sequence by user.name with maxspan=12h Branch count: 4 Document count: 4 -Index: geneve-ut-981 +Index: geneve-ut-0981 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -13551,7 +13551,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-983 +Index: geneve-ut-0983 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13566,7 +13566,7 @@ not process.args == "dpkg" Branch count: 16 Document count: 16 -Index: geneve-ut-986 +Index: geneve-ut-0986 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13580,7 +13580,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-987 +Index: geneve-ut-0987 ```python event.category:process and host.os.type:windows and @@ -13611,7 +13611,7 @@ event.category:process and host.os.type:windows and Branch count: 16 Document count: 16 -Index: geneve-ut-988 +Index: geneve-ut-0988 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13626,7 +13626,7 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en Branch count: 152 Document count: 304 -Index: geneve-ut-989 +Index: geneve-ut-0989 ```python sequence by host.id with maxspan=5s @@ -13648,7 +13648,7 @@ sequence by host.id with maxspan=5s Branch count: 8 Document count: 16 -Index: geneve-ut-990 +Index: geneve-ut-0990 ```python sequence by host.id with maxspan=5s @@ -13675,7 +13675,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-992 +Index: geneve-ut-0992 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -13687,7 +13687,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 4 Document count: 4 -Index: geneve-ut-993 +Index: geneve-ut-0993 ```python file where host.os.type == "windows" and event.type != "deletion" and file.path != null and @@ -13719,7 +13719,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path Branch count: 2 Document count: 4 -Index: geneve-ut-994 +Index: geneve-ut-0994 ```python sequence by host.id with maxspan=30s @@ -13733,7 +13733,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-995 +Index: geneve-ut-0995 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13765,7 +13765,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-996 +Index: geneve-ut-0996 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -13789,7 +13789,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-997 +Index: geneve-ut-0997 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13803,7 +13803,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-998 +Index: geneve-ut-0998 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13826,7 +13826,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-999 +Index: geneve-ut-0999 ```python process where host.os.type == "windows" and event.type == "start" and diff --git a/tests/reports/alerts_from_rules-8.17.md b/tests/reports/alerts_from_rules-8.17.md index b4edb7c8..0c2c413a 100644 --- a/tests/reports/alerts_from_rules-8.17.md +++ b/tests/reports/alerts_from_rules-8.17.md @@ -19,7 +19,7 @@ Rules version: 8.16.1 Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python sequence by host.id, user.id with maxspan=1m @@ -44,7 +44,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -63,7 +63,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -82,7 +82,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -142,7 +142,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -159,7 +159,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 8748 Document count: 17496 -Index: geneve-ut-892 +Index: geneve-ut-0892 ```python sequence with maxspan=1m @@ -264,7 +264,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -277,7 +277,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -290,7 +290,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4 Document count: 8 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -310,7 +310,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 Failure message(s): got 1000 signals, expected 4608 @@ -337,7 +337,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 Failure message(s): got 1000 signals, expected 1024 @@ -358,7 +358,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 Failure message(s): got 1000 signals, expected 1024 @@ -379,7 +379,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 6 Document count: 12 -Index: geneve-ut-754 +Index: geneve-ut-0754 Failure message(s): got 5 signals, expected 6 @@ -396,7 +396,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 Failure message(s): got 1000 signals, expected 1794 @@ -458,7 +458,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 Failure message(s): got 1000 signals, expected 2048 @@ -477,7 +477,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 32 Document count: 64 -Index: geneve-ut-841 +Index: geneve-ut-0841 Failure message(s): got 24 signals, expected 32 @@ -502,7 +502,7 @@ sequence by host.id, process.pid with maxspan=1s Branch count: 8748 Document count: 17496 -Index: geneve-ut-892 +Index: geneve-ut-0892 Failure message(s): got 1000 signals, expected 8748 @@ -632,7 +632,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -659,7 +659,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -689,7 +689,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 8 Document count: 8 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -725,7 +725,7 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -737,7 +737,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail @@ -752,7 +752,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -764,7 +764,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -776,7 +776,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -788,7 +788,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -800,7 +800,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -812,7 +812,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -827,7 +827,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -839,7 +839,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python process where event.module == "cloud_defend" and @@ -856,7 +856,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -869,7 +869,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -881,7 +881,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -895,7 +895,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset: aws.cloudtrail @@ -910,7 +910,7 @@ event.dataset: aws.cloudtrail Branch count: 2 Document count: 2 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -922,7 +922,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -934,7 +934,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 6 Document count: 6 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset: "aws.cloudtrail" @@ -955,7 +955,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -967,7 +967,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -979,7 +979,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-033 +Index: geneve-ut-0033 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -992,7 +992,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -1005,7 +1005,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -1019,7 +1019,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -1032,7 +1032,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -1044,7 +1044,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -1056,7 +1056,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -1068,7 +1068,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -1080,7 +1080,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -1092,7 +1092,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" @@ -1105,7 +1105,7 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -1117,7 +1117,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail @@ -1132,7 +1132,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset: aws.cloudtrail @@ -1148,7 +1148,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail @@ -1163,7 +1163,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -1175,7 +1175,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -1187,7 +1187,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-057 +Index: geneve-ut-0057 ```python event.dataset: "aws.cloudtrail" @@ -1202,7 +1202,7 @@ event.dataset: "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python event.dataset: aws.cloudtrail @@ -1217,7 +1217,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -1229,7 +1229,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -1241,7 +1241,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python any where event.dataset == "aws.cloudtrail" @@ -1256,7 +1256,7 @@ any where event.dataset == "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" @@ -1269,7 +1269,7 @@ event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -1281,7 +1281,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -1293,7 +1293,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -1305,7 +1305,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -1317,7 +1317,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -1329,7 +1329,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -1341,7 +1341,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-076 +Index: geneve-ut-0076 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -1356,7 +1356,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-077 +Index: geneve-ut-0077 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -1368,7 +1368,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-078 +Index: geneve-ut-0078 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -1380,7 +1380,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-079 +Index: geneve-ut-0079 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1393,7 +1393,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1406,7 +1406,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1419,7 +1419,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1434,7 +1434,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1447,7 +1447,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1459,7 +1459,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1471,7 +1471,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1483,7 +1483,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1499,7 +1499,7 @@ Index: geneve-ut-108 Branch count: 4 Document count: 4 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python process where host.os.type == "linux" and event.type == "start" and @@ -1516,7 +1516,7 @@ process.name == "setfacl" and not ( Branch count: 12 Document count: 12 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1561,7 +1561,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 8 Document count: 8 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and @@ -1596,7 +1596,7 @@ any where event.action in ("Directory Service Access", "object-operation-perform Branch count: 4 Document count: 4 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1613,7 +1613,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1633,7 +1633,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python sequence by winlog.computer_name with maxspan=1m @@ -1661,7 +1661,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 48 Document count: 48 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -1679,7 +1679,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 1 Document count: 1 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python iam where winlog.api == "wineventlog" and event.code == "4728" and @@ -1695,7 +1695,7 @@ not group.id : "S-1-5-21-*-513" Branch count: 36 Document count: 36 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1715,7 +1715,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1729,7 +1729,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and @@ -1742,7 +1742,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 1 Document count: 1 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1754,7 +1754,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1766,7 +1766,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1781,7 +1781,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1793,7 +1793,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.agent_id_status:(agent_id_mismatch or mismatch) @@ -1805,7 +1805,7 @@ event.agent_id_status:(agent_id_mismatch or mismatch) Branch count: 1 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1824,7 +1824,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1840,7 +1840,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1852,7 +1852,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1867,7 +1867,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 8 Document count: 8 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python file where host.os.type == "linux" and @@ -1897,7 +1897,7 @@ event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/* Branch count: 1 Document count: 1 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1909,7 +1909,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 4 Document count: 4 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -1922,7 +1922,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1934,7 +1934,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1946,7 +1946,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1958,7 +1958,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1970,7 +1970,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1982,7 +1982,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1994,7 +1994,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.dataset:okta.system and event.action:zone.delete @@ -2006,7 +2006,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -2018,7 +2018,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -2030,7 +2030,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 20 Document count: 20 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -2047,7 +2047,7 @@ process.args in ("auditd", "auditd.service") Branch count: 2 Document count: 2 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2060,7 +2060,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 74 Document count: 74 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2088,7 +2088,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2104,7 +2104,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2117,7 +2117,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2131,7 +2131,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 10 Document count: 10 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2154,7 +2154,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2169,7 +2169,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -2181,7 +2181,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -2193,7 +2193,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -2205,7 +2205,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -2217,7 +2217,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -2236,7 +2236,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -2248,7 +2248,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -2260,7 +2260,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2273,7 +2273,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -2285,7 +2285,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 3 Document count: 3 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2315,7 +2315,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -2330,7 +2330,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2344,7 +2344,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python event.dataset:azure.signinlogs and @@ -2358,7 +2358,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python event.dataset:azure.signinlogs and @@ -2371,7 +2371,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.dataset:azure.signinlogs and @@ -2385,7 +2385,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -2398,7 +2398,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -2410,7 +2410,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -2422,7 +2422,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python event.dataset:azure.activitylogs and @@ -2441,7 +2441,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python event.dataset:azure.activitylogs and @@ -2455,7 +2455,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python event.dataset:azure.activitylogs and @@ -2473,7 +2473,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2485,7 +2485,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2500,7 +2500,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2512,7 +2512,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2525,7 +2525,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2537,7 +2537,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2549,7 +2549,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2561,7 +2561,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -2573,7 +2573,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 2 Document count: 2 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2585,7 +2585,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2597,7 +2597,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2615,7 +2615,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2631,7 +2631,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2643,7 +2643,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2656,7 +2656,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2669,7 +2669,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2684,7 +2684,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2696,7 +2696,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2708,7 +2708,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2720,7 +2720,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2732,7 +2732,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2744,7 +2744,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2756,7 +2756,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2774,7 +2774,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and @@ -2788,7 +2788,7 @@ not process.parent.executable == "/usr/sbin/libvirtd" Branch count: 16 Document count: 16 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -2802,7 +2802,7 @@ not process.args in ("--help", "--version") Branch count: 9 Document count: 9 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python event.category:file and event.type:change and @@ -2827,7 +2827,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2842,7 +2842,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2857,7 +2857,7 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ Branch count: 13 Document count: 13 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2879,7 +2879,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python file where host.os.type == "windows" and event.type : "creation" and @@ -2908,7 +2908,7 @@ file where host.os.type == "windows" and event.type : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2929,7 +2929,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2949,7 +2949,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 36 Document count: 36 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2970,7 +2970,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2995,7 +2995,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3009,7 +3009,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3027,7 +3027,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -3047,7 +3047,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python sequence by process.entity_id @@ -3070,7 +3070,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3087,7 +3087,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3149,7 +3149,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python library where host.os.type == "windows" and event.action == "load" and @@ -3179,7 +3179,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 24 Document count: 24 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3204,7 +3204,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python sequence by process.entity_id @@ -3225,7 +3225,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python sequence by process.entity_id @@ -3246,7 +3246,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python process where container.id: "*" and event.type== "start" @@ -3259,7 +3259,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python event.kind:alert and event.module:cloud_defend @@ -3271,7 +3271,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 12 Document count: 12 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3294,7 +3294,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3314,7 +3314,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -3327,7 +3327,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and @@ -3340,7 +3340,7 @@ not process.name == "dockerd" Branch count: 2 Document count: 2 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and @@ -3355,7 +3355,7 @@ file.extension == "ko" and not process.name : ( Branch count: 1 Document count: 1 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -3372,7 +3372,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -3386,7 +3386,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 3 Document count: 3 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3403,7 +3403,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -3415,7 +3415,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 12 Document count: 12 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Blob" and @@ -3464,7 +3464,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and @@ -3482,7 +3482,7 @@ file where host.os.type == "windows" and event.type != "deletion" and event.acti Branch count: 8 Document count: 8 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3497,7 +3497,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3509,7 +3509,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3521,7 +3521,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3533,7 +3533,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3545,7 +3545,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 80 Document count: 80 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python file where host.os.type == "linux" and @@ -3587,7 +3587,7 @@ event.action in ("rename", "creation") and file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3607,7 +3607,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 128 Document count: 128 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3629,7 +3629,7 @@ process.name == "curl" and ( Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -3641,7 +3641,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python event.dataset:cyberarkpas.audit and @@ -3656,7 +3656,7 @@ event.dataset:cyberarkpas.audit and Branch count: 16 Document count: 16 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -3687,7 +3687,7 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* Branch count: 3 Document count: 3 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3703,7 +3703,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 5 Document count: 5 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3721,7 +3721,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -3736,7 +3736,7 @@ Index: geneve-ut-264 Branch count: 2 Document count: 2 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3750,7 +3750,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3764,7 +3764,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "mkdir" and @@ -3778,7 +3778,7 @@ not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir") Branch count: 12 Document count: 12 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3806,7 +3806,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3823,7 +3823,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3848,7 +3848,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3865,7 +3865,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3880,7 +3880,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3892,7 +3892,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3905,7 +3905,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3917,7 +3917,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 10 Document count: 20 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python sequence by process.entity_id with maxspan=1m @@ -3935,7 +3935,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 24 Document count: 24 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -3970,7 +3970,7 @@ not ( Branch count: 12 Document count: 12 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3985,7 +3985,7 @@ not process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewag Branch count: 108 Document count: 108 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python process where host.os.type == "linux" and event.type == "start" and @@ -4001,7 +4001,7 @@ not process.parent.executable == "/usr/share/qemu/init/qemu-kvm-init" Branch count: 12 Document count: 12 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -4015,7 +4015,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 2 Document count: 2 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -4027,7 +4027,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 1 Document count: 2 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python sequence by host.id with maxspan=3s @@ -4050,7 +4050,7 @@ sequence by host.id with maxspan=3s Branch count: 203 Document count: 203 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python process where @@ -4081,7 +4081,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -4094,7 +4094,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4108,7 +4108,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python registry where host.os.type == "windows" and @@ -4122,7 +4122,7 @@ registry where host.os.type == "windows" and Branch count: 16 Document count: 16 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4157,7 +4157,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -4169,7 +4169,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 3 Document count: 3 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python event.dataset:(azure.activitylogs or azure.signinlogs) @@ -4186,7 +4186,7 @@ event.dataset:(azure.activitylogs or azure.signinlogs) Branch count: 2 Document count: 2 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4200,7 +4200,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4219,7 +4219,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4246,7 +4246,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 276 Document count: 276 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -4277,7 +4277,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python event.category:process and host.os.type:windows and @@ -4290,7 +4290,7 @@ event.category:process and host.os.type:windows and Branch count: 378 Document count: 378 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4319,7 +4319,7 @@ process.args : ( Branch count: 64 Document count: 64 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -4347,7 +4347,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4360,7 +4360,7 @@ process.name : ("kworker*", "kthread*") and process.executable != null Branch count: 4 Document count: 8 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python sequence by process.entity_id with maxspan=5m @@ -4380,7 +4380,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 4 Document count: 4 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4404,7 +4404,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 72 Document count: 144 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python sequence with maxspan=2h @@ -4430,7 +4430,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python sequence with maxspan=2h @@ -4455,7 +4455,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -4484,7 +4484,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -4496,7 +4496,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -4519,7 +4519,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python sequence by user.id with maxspan=5s @@ -4534,7 +4534,7 @@ sequence by user.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -4546,7 +4546,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 6 Document count: 6 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4566,7 +4566,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python process where host.os.type == "windows" and event.type : "start" and @@ -4600,7 +4600,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -4612,7 +4612,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4626,7 +4626,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -4639,7 +4639,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4651,7 +4651,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4663,7 +4663,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4677,7 +4677,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -4689,7 +4689,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 1 Document count: 1 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python file where host.os.type == "windows" and event.code : "2" and @@ -4721,7 +4721,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 16 Document count: 32 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python sequence by host.id with maxspan=10s @@ -4738,7 +4738,7 @@ sequence by host.id with maxspan=10s Branch count: 4 Document count: 4 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( @@ -4752,7 +4752,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 20 Document count: 20 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -4768,7 +4768,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -4783,7 +4783,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python process where event.module == "cloud_defend" and @@ -4798,7 +4798,7 @@ process where event.module == "cloud_defend" and Branch count: 375 Document count: 750 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python sequence by process.entity_id @@ -4825,7 +4825,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4846,7 +4846,7 @@ not ( Branch count: 2 Document count: 2 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python process where host.os.type == "linux" and event.type == "start" and process.parent.executable != null and @@ -4865,7 +4865,7 @@ process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and n Branch count: 11 Document count: 11 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4891,7 +4891,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4921,7 +4921,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python event.dataset: google_workspace.alert @@ -4933,7 +4933,7 @@ event.dataset: google_workspace.alert Branch count: 8 Document count: 8 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python registry where host.os.type == "windows" and @@ -4951,7 +4951,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4963,7 +4963,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4975,7 +4975,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4987,7 +4987,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4999,7 +4999,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -5011,7 +5011,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -5023,7 +5023,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -5035,7 +5035,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -5047,7 +5047,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -5059,7 +5059,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -5071,7 +5071,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -5083,7 +5083,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -5095,7 +5095,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -5107,7 +5107,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -5119,7 +5119,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -5131,7 +5131,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -5143,7 +5143,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -5155,7 +5155,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -5167,7 +5167,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -5179,7 +5179,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -5191,7 +5191,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -5203,7 +5203,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -5215,7 +5215,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -5227,7 +5227,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 575 Document count: 575 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ( @@ -5251,7 +5251,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 64 Document count: 128 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python sequence by host.id with maxspan=3s @@ -5269,7 +5269,7 @@ sequence by host.id with maxspan=3s Branch count: 4 Document count: 4 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and @@ -5297,7 +5297,7 @@ file.extension == null and process.executable != null and not ( Branch count: 8 Document count: 16 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python sequence by host.id with maxspan=3s @@ -5322,7 +5322,7 @@ sequence by host.id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" @@ -5334,7 +5334,7 @@ configuration where event.dataset == "github.audit" and github.category == "inte Branch count: 1 Document count: 1 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -5346,7 +5346,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" @@ -5358,7 +5358,7 @@ configuration where event.dataset == "github.audit" and event.action == "persona Branch count: 1 Document count: 1 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python configuration where event.dataset == "github.audit" @@ -5371,7 +5371,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python configuration where event.dataset == "github.audit" and event.action == "repo.create" @@ -5383,7 +5383,7 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr Branch count: 1 Document count: 1 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -5395,7 +5395,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python configuration where event.dataset == "github.audit" and event.action == "org.block_user" @@ -5407,7 +5407,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.blo Branch count: 1 Document count: 1 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -5420,7 +5420,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -5432,7 +5432,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python event.dataset:google_workspace.admin @@ -5448,7 +5448,7 @@ event.dataset:google_workspace.admin Branch count: 1 Document count: 1 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -5461,7 +5461,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -5473,7 +5473,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5486,7 +5486,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -5498,7 +5498,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -5511,7 +5511,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -5528,7 +5528,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -5542,7 +5542,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python sequence by source.user.email with maxspan=3m @@ -5566,7 +5566,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -5587,7 +5587,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5601,7 +5601,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -5613,7 +5613,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -5625,7 +5625,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -5638,7 +5638,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5651,7 +5651,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -5672,7 +5672,7 @@ process.name == "mkdir" and process.parent.executable like ( Branch count: 1 Document count: 1 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags" @@ -5684,7 +5684,7 @@ file where host.os.type == "linux" and event.type == "creation" and process.name Branch count: 1 Document count: 2 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python sequence by process.entity_id with maxspan=5m @@ -5701,7 +5701,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python any where @@ -5730,7 +5730,7 @@ any where Branch count: 12 Document count: 12 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5743,7 +5743,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5758,7 +5758,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -5770,7 +5770,7 @@ Index: geneve-ut-439 Branch count: 8 Document count: 8 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5787,7 +5787,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python sequence with maxspan=1m @@ -5806,7 +5806,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python sequence by host.id with maxspan=1m @@ -5824,7 +5824,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python sequence by host.id with maxspan=5s @@ -5843,7 +5843,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python sequence by host.id with maxspan = 30s @@ -5859,7 +5859,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python sequence by host.id with maxspan=30s @@ -5875,7 +5875,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5888,7 +5888,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python event.dataset: "aws.cloudtrail" @@ -5906,7 +5906,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5919,7 +5919,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -5935,7 +5935,7 @@ sequence by process.entity_id Branch count: 3 Document count: 3 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5958,7 +5958,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5979,7 +5979,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python process where container.id : "*" and event.type== "start" and @@ -6000,7 +6000,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -6013,7 +6013,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6031,7 +6031,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python iam where event.action == "modified-user-account" and event.code == "4738" and @@ -6044,7 +6044,7 @@ iam where event.action == "modified-user-account" and event.code == "4738" and Branch count: 2 Document count: 2 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -6058,7 +6058,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -6117,7 +6117,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -6130,7 +6130,7 @@ auditd.data.syscall in ("init_module", "finit_module") Branch count: 2 Document count: 2 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -6143,7 +6143,7 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" Branch count: 24 Document count: 24 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6157,7 +6157,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" and @@ -6173,7 +6173,7 @@ not process.parent.executable like ( Branch count: 60 Document count: 60 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -6188,7 +6188,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 28 Document count: 28 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python process where host.os.type == "macos" and event.action == "exec" and @@ -6204,7 +6204,7 @@ process where host.os.type == "macos" and event.action == "exec" and Branch count: 1 Document count: 1 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -6216,7 +6216,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python event.dataset:kubernetes.audit_logs @@ -6231,7 +6231,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python event.dataset: "kubernetes.audit_logs" @@ -6245,7 +6245,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python event.dataset : "kubernetes.audit_logs" @@ -6261,7 +6261,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python event.dataset : "kubernetes.audit_logs" @@ -6278,7 +6278,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python event.dataset : "kubernetes.audit_logs" @@ -6295,7 +6295,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python event.dataset : "kubernetes.audit_logs" @@ -6312,7 +6312,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python event.dataset : "kubernetes.audit_logs" @@ -6345,7 +6345,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python event.dataset : "kubernetes.audit_logs" @@ -6362,7 +6362,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python event.dataset : "kubernetes.audit_logs" @@ -6379,7 +6379,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python event.dataset : "kubernetes.audit_logs" @@ -6396,7 +6396,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python event.dataset : "kubernetes.audit_logs" @@ -6412,7 +6412,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -6450,7 +6450,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python any where event.action == "File System" and event.code == "4656" and @@ -6485,7 +6485,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python api where host.os.type == "windows" and @@ -6558,7 +6558,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6576,7 +6576,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python sequence by host.id with maxspan=1m @@ -6592,7 +6592,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python sequence by host.id with maxspan=1m @@ -6606,7 +6606,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6621,7 +6621,7 @@ process.args != "1" Branch count: 609 Document count: 609 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python process where host.os.type == "linux" and event.type == "start" and @@ -6683,7 +6683,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 72 Document count: 72 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6697,7 +6697,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 64 Document count: 64 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -6713,7 +6713,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 240 Document count: 240 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6732,7 +6732,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -6750,7 +6750,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 600 Document count: 1200 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python sequence with maxspan=1m @@ -6775,7 +6775,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -6787,7 +6787,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 64 Document count: 64 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("AccessVBOM", "VbaWarnings") and @@ -6822,7 +6822,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 84 Document count: 168 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python sequence by host.id with maxspan=15s @@ -6836,7 +6836,7 @@ sequence by host.id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com @@ -6848,7 +6848,7 @@ ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.c Branch count: 1 Document count: 1 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com @@ -6860,7 +6860,7 @@ ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmclo Branch count: 2 Document count: 2 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6872,7 +6872,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6884,7 +6884,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python configuration where event.dataset == "github.audit" and event.action == "org.remove_member" @@ -6896,7 +6896,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.rem Branch count: 8 Document count: 8 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -6928,7 +6928,7 @@ file.path : "/etc/update-motd.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -6940,7 +6940,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -6952,7 +6952,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -6964,7 +6964,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -6976,7 +6976,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -6988,7 +6988,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -7000,7 +7000,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -7012,7 +7012,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -7024,7 +7024,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -7036,7 +7036,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -7048,7 +7048,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -7060,7 +7060,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -7073,7 +7073,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -7092,7 +7092,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -7104,7 +7104,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -7119,7 +7119,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -7133,7 +7133,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -7147,7 +7147,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -7159,7 +7159,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -7171,7 +7171,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7185,7 +7185,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7206,7 +7206,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7220,7 +7220,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7253,7 +7253,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -7278,7 +7278,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python event.category: "process" and host.os.type:windows and @@ -7302,7 +7302,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7317,7 +7317,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7331,7 +7331,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7345,7 +7345,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7368,7 +7368,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 28 Document count: 28 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -7418,7 +7418,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 1 Document count: 1 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -7430,7 +7430,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 2 Document count: 2 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7448,7 +7448,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7465,7 +7465,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -7477,7 +7477,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 2 Document count: 2 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7503,7 +7503,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-557 +Index: geneve-ut-0557 ```python event.category:file and host.os.type:linux and event.type:change and @@ -7525,7 +7525,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7547,7 +7547,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 8 Document count: 8 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python registry where host.os.type == "windows" and event.type == "creation" and @@ -7564,7 +7564,7 @@ registry where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -7578,7 +7578,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 2 Document count: 2 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -7590,7 +7590,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 2 Document count: 2 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7613,7 +7613,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python process where event.module == "cloud_defend" and event.type== "start" and @@ -7626,7 +7626,7 @@ process where event.module == "cloud_defend" and event.type== "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7645,7 +7645,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python sequence by process.entity_id with maxspan=30s @@ -7682,7 +7682,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 1 Document count: 2 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python sequence by process.entity_id with maxspan=10m @@ -7700,7 +7700,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -7712,7 +7712,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -7738,7 +7738,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -7764,7 +7764,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -7788,7 +7788,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 2 Document count: 2 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7802,7 +7802,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 210 Document count: 210 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7821,7 +7821,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -7836,7 +7836,7 @@ not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox- Branch count: 560 Document count: 560 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python process where container.id: "*" and event.type== "start" @@ -7859,7 +7859,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 10 Document count: 10 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7873,7 +7873,7 @@ process.args : "*l*" and process.args_count >= 4 Branch count: 3 Document count: 3 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7890,7 +7890,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -7913,7 +7913,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 2 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python sequence by host.id with maxspan=1s @@ -7940,7 +7940,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 16 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by host.id with maxspan=10s @@ -7957,7 +7957,7 @@ sequence by host.id with maxspan=10s Branch count: 1 Document count: 1 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -7976,7 +7976,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python sequence by process.entity_id @@ -7996,7 +7996,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python sequence by process.entity_id @@ -8015,7 +8015,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python sequence by host.id with maxspan=1m @@ -8035,7 +8035,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python sequence by process.entity_id @@ -8060,7 +8060,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python sequence by process.entity_id @@ -8082,7 +8082,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python network where host.os.type == "linux" and event.type == "start" and @@ -8103,7 +8103,7 @@ event.action in ("connection_attempted", "ipv4_connection_attempt_event") and pr Branch count: 2 Document count: 4 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -8134,7 +8134,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8164,7 +8164,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and @@ -8181,7 +8181,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 3 Document count: 3 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8194,7 +8194,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -8206,7 +8206,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -8218,7 +8218,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 1 Document count: 1 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* @@ -8230,7 +8230,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* Branch count: 1 Document count: 1 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" @@ -8242,7 +8242,7 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and Branch count: 1 Document count: 1 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python configuration where event.dataset == "github.audit" and event.action == "org.add_member" @@ -8254,7 +8254,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.add Branch count: 6 Document count: 6 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -8268,7 +8268,7 @@ event.outcome:success Branch count: 4 Document count: 4 -Index: geneve-ut-611 +Index: geneve-ut-0611 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8281,7 +8281,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -8293,7 +8293,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -8307,7 +8307,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -8319,7 +8319,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-617 +Index: geneve-ut-0617 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -8332,7 +8332,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python event.dataset:okta.system and event.category:authentication and @@ -8345,7 +8345,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 10 Document count: 10 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and @@ -8368,7 +8368,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/ Branch count: 2 Document count: 2 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -8380,7 +8380,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -8392,7 +8392,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -8404,7 +8404,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 6 Document count: 6 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8421,7 +8421,7 @@ not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/op Branch count: 36 Document count: 72 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -8436,7 +8436,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 5 Document count: 5 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and @@ -8455,7 +8455,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 2 Document count: 2 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8469,7 +8469,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8481,7 +8481,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8493,7 +8493,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8511,7 +8511,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -8524,7 +8524,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -8539,7 +8539,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 11 Document count: 11 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python process where host.os.type == "macos" and event.type : "start" and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and @@ -8552,7 +8552,7 @@ process where host.os.type == "macos" and event.type : "start" and process.name Branch count: 32 Document count: 32 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -8581,7 +8581,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python process where host.os.type == "macos" and event.type == "start" and @@ -8601,7 +8601,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8620,7 +8620,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-640 +Index: geneve-ut-0640 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8633,7 +8633,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8649,7 +8649,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8675,7 +8675,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8694,7 +8694,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-644 +Index: geneve-ut-0644 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8722,7 +8722,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8737,7 +8737,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8800,7 +8800,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 14 Document count: 14 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python any where host.os.type == "windows" and @@ -8825,7 +8825,7 @@ any where host.os.type == "windows" and Branch count: 3 Document count: 3 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python registry where host.os.type == "windows" and registry.path : ( @@ -8841,7 +8841,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-650 +Index: geneve-ut-0650 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -8859,7 +8859,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -8871,7 +8871,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 16 Document count: 16 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8888,7 +8888,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -8903,7 +8903,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 16 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python sequence by host.id, process.parent.entity_id with maxspan=5m @@ -8920,7 +8920,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python process where host.os.type == "linux" and event.type == "start" and @@ -8940,7 +8940,7 @@ event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "p Branch count: 2 Document count: 6 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python sequence by host.id, user.name with maxspan = 5s @@ -8969,7 +8969,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8982,7 +8982,7 @@ event.type == "change" and file.name : "notify_on_release" Branch count: 1 Document count: 1 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8995,7 +8995,7 @@ event.type == "change" and file.name : "release_agent" Branch count: 63 Document count: 63 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python process where event.type in ("start", "process_started", "info") and @@ -9019,7 +9019,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 12 Document count: 12 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python any where event.action : ("Directory Service Access", "object-operation-performed") and @@ -9054,7 +9054,7 @@ any where event.action : ("Directory Service Access", "object-operation-performe Branch count: 1 Document count: 1 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9072,7 +9072,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9095,7 +9095,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -9149,7 +9149,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python sequence by process.entity_id with maxspan=1m @@ -9167,7 +9167,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python sequence by process.entity_id @@ -9182,7 +9182,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python any where processor.name == "transaction" and @@ -9196,7 +9196,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9217,7 +9217,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9238,7 +9238,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -9263,7 +9263,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-684 +Index: geneve-ut-0684 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9276,7 +9276,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python file where host.os.type == "linux" and event.type != "deletion" and file.path == "/etc/doas.conf" @@ -9288,7 +9288,7 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path == Branch count: 2 Document count: 2 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9301,7 +9301,7 @@ process.parent.name == "proot" Branch count: 12 Document count: 12 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9319,7 +9319,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-688 +Index: geneve-ut-0688 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9332,7 +9332,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 4 -Index: geneve-ut-689 +Index: geneve-ut-0689 ```python sequence by process.entity_id with maxspan=3m @@ -9356,7 +9356,7 @@ sequence by process.entity_id with maxspan=3m Branch count: 42 Document count: 42 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python process where event.type == "start" and host.os.type == "windows" and @@ -9372,7 +9372,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-691 +Index: geneve-ut-0691 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9397,7 +9397,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and @@ -9410,7 +9410,7 @@ process.parent.args == "/etc/rc.local" and process.parent.args == "start" Branch count: 1 Document count: 4 -Index: geneve-ut-694 +Index: geneve-ut-0694 ```python sequence by host.id, user.id with maxspan=1s @@ -9432,7 +9432,7 @@ sequence by host.id, user.id with maxspan=1s Branch count: 204 Document count: 204 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9450,7 +9450,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-698 +Index: geneve-ut-0698 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9463,7 +9463,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9476,7 +9476,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9489,7 +9489,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9504,7 +9504,7 @@ not process.parent.command_line like "/opt/cloudlinux/*" Branch count: 60 Document count: 120 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python sequence by host.id with maxspan=1m @@ -9540,7 +9540,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python event.category:process and host.os.type:macos and event.type:start and @@ -9553,7 +9553,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9571,7 +9571,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -9585,7 +9585,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-710 +Index: geneve-ut-0710 ```python sequence by host.id with maxspan=30s @@ -9604,7 +9604,7 @@ sequence by host.id with maxspan=30s Branch count: 4 Document count: 4 -Index: geneve-ut-711 +Index: geneve-ut-0711 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9617,7 +9617,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 3 Document count: 6 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python sequence by host.id, process.parent.name with maxspan=1m @@ -9633,7 +9633,7 @@ sequence by host.id, process.parent.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9646,7 +9646,7 @@ process.name == "unshadow" and process.args_count >= 3 Branch count: 168 Document count: 168 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9676,7 +9676,7 @@ process.name in~ ( Branch count: 1 Document count: 10 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -9694,7 +9694,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 458 Document count: 458 -Index: geneve-ut-717 +Index: geneve-ut-0717 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9722,7 +9722,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9741,7 +9741,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python process where host.os.type == "windows" and @@ -9879,7 +9879,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python process where host.os.type == "windows" and @@ -9950,7 +9950,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python library where host.os.type == "windows" and event.action == "load" and @@ -9967,7 +9967,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 14 Document count: 14 -Index: geneve-ut-725 +Index: geneve-ut-0725 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9993,7 +9993,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-727 +Index: geneve-ut-0727 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -10005,7 +10005,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10046,7 +10046,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( @@ -10060,7 +10060,7 @@ network where process.name : ("http", "https") and destination.port not in (80, Branch count: 4 Document count: 8 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python sequence by process.entity_id with maxspan=1m @@ -10088,7 +10088,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -10129,7 +10129,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 2 Document count: 2 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python network where host.os.type == "windows" and @@ -10155,7 +10155,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10168,7 +10168,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 85 Document count: 85 -Index: geneve-ut-740 +Index: geneve-ut-0740 ```python file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and @@ -10238,7 +10238,7 @@ file.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10252,7 +10252,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-742 +Index: geneve-ut-0742 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10265,7 +10265,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10289,7 +10289,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-744 +Index: geneve-ut-0744 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10309,7 +10309,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 45 Document count: 45 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python host.os.type:windows and event.category:process and @@ -10346,7 +10346,7 @@ host.os.type:windows and event.category:process and Branch count: 696 Document count: 696 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python event.category:process and host.os.type:windows and @@ -10539,7 +10539,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -10555,7 +10555,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-750 +Index: geneve-ut-0750 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -10569,7 +10569,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-751 +Index: geneve-ut-0751 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10586,7 +10586,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-752 +Index: geneve-ut-0752 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -10600,7 +10600,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-753 +Index: geneve-ut-0753 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -10616,7 +10616,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-757 +Index: geneve-ut-0757 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -10632,7 +10632,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -10644,7 +10644,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -10660,7 +10660,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python sequence by host.id with maxspan=1m @@ -10680,7 +10680,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -10692,7 +10692,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python iam where event.action == "renamed-user-account" and @@ -10706,7 +10706,7 @@ iam where event.action == "renamed-user-account" and Branch count: 18 Document count: 18 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python process where host.os.type == "windows" and event.action == "start" and @@ -10729,7 +10729,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python sequence by host.id, process.entity_id with maxspan=3s @@ -10750,7 +10750,7 @@ sequence by host.id, process.entity_id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python process where host.os.type == "linux" and event.type == "start" and @@ -10763,7 +10763,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-775 +Index: geneve-ut-0775 ```python file where host.os.type == "windows" and @@ -10778,7 +10778,7 @@ file where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python /* Identifies the modification of RDP Shadow registry or @@ -10806,7 +10806,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-777 +Index: geneve-ut-0777 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10821,7 +10821,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python sequence with maxspan=1m @@ -10863,7 +10863,7 @@ sequence with maxspan=1m Branch count: 864 Document count: 1728 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python sequence by host.id with maxspan=5s @@ -10883,7 +10883,7 @@ sequence by host.id with maxspan=5s Branch count: 80 Document count: 80 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python process where event.type in ("start", "process_started") and @@ -10904,7 +10904,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 32 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10918,7 +10918,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 432 Document count: 864 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -10938,7 +10938,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 288 Document count: 576 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python sequence by host.id with maxspan=5s @@ -10967,7 +10967,7 @@ sequence by host.id with maxspan=5s Branch count: 40 Document count: 40 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10983,7 +10983,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-789 +Index: geneve-ut-0789 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -10995,7 +10995,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 2 Document count: 2 -Index: geneve-ut-790 +Index: geneve-ut-0790 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -11009,7 +11009,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 32 Document count: 96 -Index: geneve-ut-792 +Index: geneve-ut-0792 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -11037,7 +11037,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-793 +Index: geneve-ut-0793 ```python sequence by host.id with maxspan=1s @@ -11059,7 +11059,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 8 -Index: geneve-ut-797 +Index: geneve-ut-0797 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -11088,7 +11088,7 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( Branch count: 4 Document count: 4 -Index: geneve-ut-798 +Index: geneve-ut-0798 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11101,7 +11101,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-799 +Index: geneve-ut-0799 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -11117,7 +11117,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-800 +Index: geneve-ut-0800 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -11131,7 +11131,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-801 +Index: geneve-ut-0801 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -11161,7 +11161,7 @@ file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-802 +Index: geneve-ut-0802 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11174,7 +11174,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-803 +Index: geneve-ut-0803 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -11190,7 +11190,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-804 +Index: geneve-ut-0804 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11207,7 +11207,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-805 +Index: geneve-ut-0805 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -11220,7 +11220,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 4 Document count: 4 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and @@ -11237,7 +11237,7 @@ process.executable : ( Branch count: 8 Document count: 16 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -11253,7 +11253,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-812 +Index: geneve-ut-0812 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11270,7 +11270,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 16 -Index: geneve-ut-813 +Index: geneve-ut-0813 ```python sequence by okta.actor.id with maxspan=10m @@ -11290,7 +11290,7 @@ sequence by okta.actor.id with maxspan=10m Branch count: 72 Document count: 72 -Index: geneve-ut-814 +Index: geneve-ut-0814 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11306,7 +11306,7 @@ process.parent.name in ("screen", "tmux") and process.name like ( Branch count: 21 Document count: 21 -Index: geneve-ut-815 +Index: geneve-ut-0815 ```python event.category:process and host.os.type:windows and @@ -11331,7 +11331,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-817 +Index: geneve-ut-0817 ```python event.category:process and host.os.type:windows and @@ -11350,7 +11350,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-819 +Index: geneve-ut-0819 ```python event.category:process and host.os.type:windows and @@ -11373,7 +11373,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -11385,7 +11385,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python event.category:process and host.os.type:windows and @@ -11409,7 +11409,7 @@ event.category:process and host.os.type:windows and Branch count: 6 Document count: 6 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11426,7 +11426,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 80 Document count: 80 -Index: geneve-ut-839 +Index: geneve-ut-0839 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "lp" and @@ -11446,7 +11446,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 4 Document count: 8 -Index: geneve-ut-842 +Index: geneve-ut-0842 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -11479,7 +11479,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 2 Document count: 4 -Index: geneve-ut-843 +Index: geneve-ut-0843 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=1m @@ -11496,7 +11496,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=1m Branch count: 4 Document count: 4 -Index: geneve-ut-844 +Index: geneve-ut-0844 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11510,7 +11510,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-845 +Index: geneve-ut-0845 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -11524,7 +11524,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-846 +Index: geneve-ut-0846 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -11537,7 +11537,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 426 Document count: 426 -Index: geneve-ut-847 +Index: geneve-ut-0847 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -11580,7 +11580,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 20 Document count: 20 -Index: geneve-ut-848 +Index: geneve-ut-0848 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11606,7 +11606,7 @@ registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-849 +Index: geneve-ut-0849 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -11623,7 +11623,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-852 +Index: geneve-ut-0852 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11637,7 +11637,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-853 +Index: geneve-ut-0853 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11651,7 +11651,7 @@ user.id != "0" Branch count: 2 Document count: 2 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11668,7 +11668,7 @@ process.name == "setcap" and not ( Branch count: 96 Document count: 96 -Index: geneve-ut-856 +Index: geneve-ut-0856 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -11743,7 +11743,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-857 +Index: geneve-ut-0857 ```python sequence by winlog.computer_name with maxspan=1m @@ -11764,7 +11764,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11783,7 +11783,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-859 +Index: geneve-ut-0859 ```python process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( @@ -11798,7 +11798,7 @@ not process.parent.name in ("amazon-ssm-agent", "snap") Branch count: 66 Document count: 66 -Index: geneve-ut-860 +Index: geneve-ut-0860 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11851,7 +11851,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-861 +Index: geneve-ut-0861 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11863,7 +11863,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-862 +Index: geneve-ut-0862 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11875,7 +11875,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-863 +Index: geneve-ut-0863 ```python process where host.os.type == "windows" and process.name: "MSBuild.exe" and @@ -11888,7 +11888,7 @@ process where host.os.type == "windows" and process.name: "MSBuild.exe" and Branch count: 114 Document count: 114 -Index: geneve-ut-864 +Index: geneve-ut-0864 ```python process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and @@ -11931,7 +11931,7 @@ not ( Branch count: 72 Document count: 144 -Index: geneve-ut-866 +Index: geneve-ut-0866 ```python sequence by host.id with maxspan=5s @@ -11979,7 +11979,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 4 -Index: geneve-ut-867 +Index: geneve-ut-0867 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -11992,7 +11992,7 @@ process.name : "* " Branch count: 4 Document count: 4 -Index: geneve-ut-868 +Index: geneve-ut-0868 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12029,7 +12029,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-869 +Index: geneve-ut-0869 ```python process where event.action == "exec" and host.os.type == "macos" and @@ -12049,7 +12049,7 @@ process where event.action == "exec" and host.os.type == "macos" and Branch count: 4 Document count: 4 -Index: geneve-ut-870 +Index: geneve-ut-0870 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -12062,7 +12062,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-871 +Index: geneve-ut-0871 ```python sequence by process.entity_id @@ -12086,7 +12086,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-872 +Index: geneve-ut-0872 ```python file where event.action == "extended_attributes_delete" and host.os.type == "macos" and process.executable != null and @@ -12105,7 +12105,7 @@ file.path : "/private/var/folders/*" Branch count: 6 Document count: 6 -Index: geneve-ut-875 +Index: geneve-ut-0875 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12129,7 +12129,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 8 -Index: geneve-ut-876 +Index: geneve-ut-0876 ```python sequence by process.entity_id with maxspan=1m @@ -12144,7 +12144,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-880 +Index: geneve-ut-0880 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -12156,7 +12156,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-881 +Index: geneve-ut-0881 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -12168,7 +12168,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 3 Document count: 3 -Index: geneve-ut-887 +Index: geneve-ut-0887 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12185,7 +12185,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-888 +Index: geneve-ut-0888 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12215,7 +12215,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 18 Document count: 18 -Index: geneve-ut-890 +Index: geneve-ut-0890 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12230,7 +12230,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-891 +Index: geneve-ut-0891 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12249,7 +12249,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 13 Document count: 13 -Index: geneve-ut-893 +Index: geneve-ut-0893 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12266,7 +12266,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-894 +Index: geneve-ut-0894 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -12289,7 +12289,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-895 +Index: geneve-ut-0895 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12303,7 +12303,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-896 +Index: geneve-ut-0896 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12317,7 +12317,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-897 +Index: geneve-ut-0897 ```python sequence by process.entity_id with maxspan=30s @@ -12341,7 +12341,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-898 +Index: geneve-ut-0898 ```python sequence by host.id, process.entity_id @@ -12357,7 +12357,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-899 +Index: geneve-ut-0899 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12372,7 +12372,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-900 +Index: geneve-ut-0900 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -12392,7 +12392,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 1 Document count: 1 -Index: geneve-ut-901 +Index: geneve-ut-0901 ```python iam where event.action == "scheduled-task-created" and @@ -12405,7 +12405,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 2 -Index: geneve-ut-903 +Index: geneve-ut-0903 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -12447,7 +12447,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-904 +Index: geneve-ut-0904 ```python sequence with maxspan=1m @@ -12470,7 +12470,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-905 +Index: geneve-ut-0905 ```python sequence with maxspan=1s @@ -12518,7 +12518,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-906 +Index: geneve-ut-0906 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12531,7 +12531,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-908 +Index: geneve-ut-0908 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12551,7 +12551,7 @@ process.name in ("update-ca-trust", "update-ca-certificates") and not ( Branch count: 2 Document count: 4 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=30s @@ -12568,7 +12568,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=30s Branch count: 48 Document count: 48 -Index: geneve-ut-910 +Index: geneve-ut-0910 ```python (event.dataset: (network_traffic.http or network_traffic.tls) or @@ -12615,7 +12615,7 @@ Index: geneve-ut-910 Branch count: 1 Document count: 1 -Index: geneve-ut-911 +Index: geneve-ut-0911 ```python event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com @@ -12628,7 +12628,7 @@ event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com Branch count: 4 Document count: 4 -Index: geneve-ut-912 +Index: geneve-ut-0912 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") @@ -12641,7 +12641,7 @@ and file.path : "/etc/selinux/config" Branch count: 32 Document count: 32 -Index: geneve-ut-913 +Index: geneve-ut-0913 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and @@ -12662,7 +12662,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-916 +Index: geneve-ut-0916 ```python (event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 @@ -12674,7 +12674,7 @@ Index: geneve-ut-916 Branch count: 6 Document count: 6 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python file where container.id:"*" and @@ -12687,7 +12687,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-919 +Index: geneve-ut-0919 ```python process where container.id: "*" and event.type == "start" and @@ -12708,7 +12708,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-920 +Index: geneve-ut-0920 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and @@ -12722,7 +12722,7 @@ not file.name : "known_hosts.*" Branch count: 6 Document count: 6 -Index: geneve-ut-921 +Index: geneve-ut-0921 ```python process where container.id: "*" and event.type== "start" and @@ -12736,7 +12736,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 2 Document count: 2 -Index: geneve-ut-922 +Index: geneve-ut-0922 ```python file where host.os.type == "linux" and event.type == "deletion" and file.path : "/etc/ssl/certs/*" and @@ -12749,7 +12749,7 @@ file.extension in ("pem", "crt") and not process.name in ("dockerd", "pacman") Branch count: 36 Document count: 36 -Index: geneve-ut-925 +Index: geneve-ut-0925 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12767,7 +12767,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-927 +Index: geneve-ut-0927 ```python sequence by host.id with maxspan = 30s @@ -12788,7 +12788,7 @@ sequence by host.id with maxspan = 30s Branch count: 6 Document count: 6 -Index: geneve-ut-929 +Index: geneve-ut-0929 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12805,7 +12805,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-930 +Index: geneve-ut-0930 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12820,7 +12820,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 27 Document count: 27 -Index: geneve-ut-931 +Index: geneve-ut-0931 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -12861,7 +12861,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-933 +Index: geneve-ut-0933 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -12895,7 +12895,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-934 +Index: geneve-ut-0934 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12909,7 +12909,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 112 Document count: 112 -Index: geneve-ut-935 +Index: geneve-ut-0935 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12929,7 +12929,7 @@ process.args like ( Branch count: 2 Document count: 2 -Index: geneve-ut-936 +Index: geneve-ut-0936 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12943,7 +12943,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 116 Document count: 116 -Index: geneve-ut-937 +Index: geneve-ut-0937 ```python process where event.type == "start" and @@ -13004,7 +13004,7 @@ process.name : "grep" and user.id != "0" and Branch count: 270 Document count: 270 -Index: geneve-ut-940 +Index: geneve-ut-0940 ```python process where container.id: "*" and event.type== "start" and @@ -13047,7 +13047,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-941 +Index: geneve-ut-0941 ```python process where container.id: "*" and event.type== "start" and @@ -13071,7 +13071,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-942 +Index: geneve-ut-0942 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -13084,7 +13084,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 6 Document count: 6 -Index: geneve-ut-943 +Index: geneve-ut-0943 ```python file where host.os.type == "windows" and @@ -13105,7 +13105,7 @@ file where host.os.type == "windows" and Branch count: 16 Document count: 32 -Index: geneve-ut-944 +Index: geneve-ut-0944 ```python sequence by process.entity_id with maxspan = 1m @@ -13122,7 +13122,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-945 +Index: geneve-ut-0945 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -13142,7 +13142,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-946 +Index: geneve-ut-0946 ```python sequence by winlog.computer_name with maxspan=5m @@ -13166,7 +13166,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-947 +Index: geneve-ut-0947 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13181,7 +13181,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-948 +Index: geneve-ut-0948 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13202,7 +13202,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-949 +Index: geneve-ut-0949 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13225,7 +13225,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-950 +Index: geneve-ut-0950 ```python process where event.type == "start" and process.name : "sc.exe" and @@ -13238,7 +13238,7 @@ process where event.type == "start" and process.name : "sc.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-951 +Index: geneve-ut-0951 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -13254,7 +13254,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-952 +Index: geneve-ut-0952 ```python file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and @@ -13267,7 +13267,7 @@ file.path == "/etc/shadow" and file.Ext.original.path != null Branch count: 1 Document count: 1 -Index: geneve-ut-953 +Index: geneve-ut-0953 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -13279,7 +13279,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 264 Document count: 264 -Index: geneve-ut-955 +Index: geneve-ut-0955 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( @@ -13327,7 +13327,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an Branch count: 72 Document count: 144 -Index: geneve-ut-956 +Index: geneve-ut-0956 ```python sequence by host.id with maxspan=5s @@ -13341,7 +13341,7 @@ sequence by host.id with maxspan=5s Branch count: 162 Document count: 162 -Index: geneve-ut-957 +Index: geneve-ut-0957 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -13363,7 +13363,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-958 +Index: geneve-ut-0958 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13382,7 +13382,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-959 +Index: geneve-ut-0959 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13396,7 +13396,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 42 Document count: 42 -Index: geneve-ut-960 +Index: geneve-ut-0960 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Start" and @@ -13423,7 +13423,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 12 Document count: 24 -Index: geneve-ut-974 +Index: geneve-ut-0974 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -13448,7 +13448,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-975 +Index: geneve-ut-0975 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13481,7 +13481,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-978 +Index: geneve-ut-0978 ```python beacon_stats.is_beaconing: true and @@ -13499,7 +13499,7 @@ not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or " Branch count: 1 Document count: 1 -Index: geneve-ut-979 +Index: geneve-ut-0979 ```python beacon_stats.beaconing_score: 3 @@ -13511,7 +13511,7 @@ beacon_stats.beaconing_score: 3 Branch count: 2 Document count: 6 -Index: geneve-ut-980 +Index: geneve-ut-0980 ```python sequence by user.name with maxspan=12h @@ -13526,7 +13526,7 @@ sequence by user.name with maxspan=12h Branch count: 4 Document count: 4 -Index: geneve-ut-981 +Index: geneve-ut-0981 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -13551,7 +13551,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-983 +Index: geneve-ut-0983 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13566,7 +13566,7 @@ not process.args == "dpkg" Branch count: 16 Document count: 16 -Index: geneve-ut-986 +Index: geneve-ut-0986 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13580,7 +13580,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-987 +Index: geneve-ut-0987 ```python event.category:process and host.os.type:windows and @@ -13611,7 +13611,7 @@ event.category:process and host.os.type:windows and Branch count: 16 Document count: 16 -Index: geneve-ut-988 +Index: geneve-ut-0988 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13626,7 +13626,7 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en Branch count: 152 Document count: 304 -Index: geneve-ut-989 +Index: geneve-ut-0989 ```python sequence by host.id with maxspan=5s @@ -13648,7 +13648,7 @@ sequence by host.id with maxspan=5s Branch count: 8 Document count: 16 -Index: geneve-ut-990 +Index: geneve-ut-0990 ```python sequence by host.id with maxspan=5s @@ -13675,7 +13675,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-992 +Index: geneve-ut-0992 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -13687,7 +13687,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 4 Document count: 4 -Index: geneve-ut-993 +Index: geneve-ut-0993 ```python file where host.os.type == "windows" and event.type != "deletion" and file.path != null and @@ -13719,7 +13719,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path Branch count: 2 Document count: 4 -Index: geneve-ut-994 +Index: geneve-ut-0994 ```python sequence by host.id with maxspan=30s @@ -13733,7 +13733,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-995 +Index: geneve-ut-0995 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13765,7 +13765,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-996 +Index: geneve-ut-0996 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -13789,7 +13789,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-997 +Index: geneve-ut-0997 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13803,7 +13803,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-998 +Index: geneve-ut-0998 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13826,7 +13826,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-999 +Index: geneve-ut-0999 ```python process where host.os.type == "windows" and event.type == "start" and diff --git a/tests/reports/alerts_from_rules-8.2.md b/tests/reports/alerts_from_rules-8.2.md index 9a96a487..0d2bd871 100644 --- a/tests/reports/alerts_from_rules-8.2.md +++ b/tests/reports/alerts_from_rules-8.2.md @@ -18,7 +18,7 @@ Rules version: 8.2.1 Branch count: 2 Document count: 2 -Index: geneve-ut-122 +Index: geneve-ut-0122 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -30,7 +30,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 6 Document count: 6 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -48,7 +48,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -66,7 +66,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 84 Document count: 84 -Index: geneve-ut-439 +Index: geneve-ut-0439 Failure message(s): got 48 signals, expected 84 @@ -84,7 +84,7 @@ process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "ww Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue @@ -96,7 +96,7 @@ event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -108,7 +108,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success @@ -120,7 +120,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-003 +Index: geneve-ut-0003 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -132,7 +132,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-0004 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -144,7 +144,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-0005 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -156,7 +156,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-0006 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -168,7 +168,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-0007 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -180,7 +180,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -195,7 +195,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -207,7 +207,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -220,7 +220,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -232,7 +232,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -246,7 +246,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -258,7 +258,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -270,7 +270,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -282,7 +282,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -294,7 +294,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -307,7 +307,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -320,7 +320,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-019 +Index: geneve-ut-0019 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -334,7 +334,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-020 +Index: geneve-ut-0020 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -347,7 +347,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-021 +Index: geneve-ut-0021 ```python event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success @@ -359,7 +359,7 @@ event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -371,7 +371,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -383,7 +383,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-025 +Index: geneve-ut-0025 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -395,7 +395,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-026 +Index: geneve-ut-0026 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -407,7 +407,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-027 +Index: geneve-ut-0027 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -419,7 +419,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -431,7 +431,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -443,7 +443,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -455,7 +455,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -467,7 +467,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-033 +Index: geneve-ut-0033 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -479,7 +479,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -491,7 +491,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -503,7 +503,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -515,7 +515,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -527,7 +527,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-038 +Index: geneve-ut-0038 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and @@ -540,7 +540,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-039 +Index: geneve-ut-0039 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -552,7 +552,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-040 +Index: geneve-ut-0040 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -567,7 +567,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -579,7 +579,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-042 +Index: geneve-ut-0042 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -591,7 +591,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-043 +Index: geneve-ut-0043 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -604,7 +604,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-044 +Index: geneve-ut-0044 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -617,7 +617,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-045 +Index: geneve-ut-0045 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -630,7 +630,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -645,7 +645,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 4 Document count: 4 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or @@ -658,7 +658,7 @@ UpdateSAMLProvider) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -671,7 +671,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 6 Document count: 6 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or @@ -685,7 +685,7 @@ RevokeSecurityGroupIngress) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and @@ -698,7 +698,7 @@ aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event. Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -710,7 +710,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -722,7 +722,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -734,7 +734,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 6 Document count: 6 -Index: geneve-ut-055 +Index: geneve-ut-0055 ```python event.category:(network or network_traffic) and destination.port:53 and @@ -747,7 +747,7 @@ event.category:(network or network_traffic) and destination.port:53 and Branch count: 26 Document count: 26 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python process where event.type in ("start", "process_started") and @@ -775,7 +775,7 @@ process where event.type in ("start", "process_started") and Branch count: 12 Document count: 12 -Index: geneve-ut-057 +Index: geneve-ut-0057 ```python process where event.type in ("start", "process_started") and @@ -813,7 +813,7 @@ process where event.type in ("start", "process_started") and Branch count: 8 Document count: 8 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python process where event.type in ("start", "process_started") and @@ -829,7 +829,7 @@ process where event.type in ("start", "process_started") and Branch count: 8 Document count: 16 -Index: geneve-ut-060 +Index: geneve-ut-0060 ```python sequence by host.id with maxspan=5m @@ -856,7 +856,7 @@ sequence by host.id with maxspan=5m Branch count: 72 Document count: 72 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python process where event.type in ("start", "process_started") and @@ -876,7 +876,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python process where event.type in ("start", "process_started") and @@ -889,7 +889,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-063 +Index: geneve-ut-0063 ```python event.action:"Directory Service Changes" and event.code:5136 and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System* @@ -901,7 +901,7 @@ event.action:"Directory Service Changes" and event.code:5136 and winlog.event_da Branch count: 1 Document count: 1 -Index: geneve-ut-065 +Index: geneve-ut-0065 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -913,7 +913,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-066 +Index: geneve-ut-0066 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -925,7 +925,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python file where event.type == "creation" and @@ -940,7 +940,7 @@ file where event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-068 +Index: geneve-ut-0068 ```python event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event) @@ -952,7 +952,7 @@ event.kind:alert and event.module:endgame and (event.action:rules_engine_event o Branch count: 1 Document count: 1 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python event.agent_id_status:agent_id_mismatch @@ -964,7 +964,7 @@ event.agent_id_status:agent_id_mismatch Branch count: 1 Document count: 2 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -983,7 +983,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-076 +Index: geneve-ut-0076 ```python process where event.type in ("start", "process_started") and process.name : "osascript" and @@ -996,7 +996,7 @@ process where event.type in ("start", "process_started") and process.name : "osa Branch count: 1 Document count: 1 -Index: geneve-ut-077 +Index: geneve-ut-0077 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1008,7 +1008,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-078 +Index: geneve-ut-0078 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1020,7 +1020,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-079 +Index: geneve-ut-0079 ```python event.dataset:okta.system and event.action:user.mfa.factor.deactivate @@ -1032,7 +1032,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1044,7 +1044,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1056,7 +1056,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1068,7 +1068,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-083 +Index: geneve-ut-0083 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1080,7 +1080,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-084 +Index: geneve-ut-0084 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1092,7 +1092,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-085 +Index: geneve-ut-0085 ```python event.dataset:okta.system and event.action:zone.delete @@ -1104,7 +1104,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-086 +Index: geneve-ut-0086 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -1116,7 +1116,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-087 +Index: geneve-ut-0087 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -1128,7 +1128,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 2 Document count: 2 -Index: geneve-ut-088 +Index: geneve-ut-0088 ```python event.category:process and event.type:(start or process_started) and @@ -1141,7 +1141,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 30 Document count: 30 -Index: geneve-ut-089 +Index: geneve-ut-0089 ```python event.category:process and event.type:(start or process_started) and @@ -1157,7 +1157,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-090 +Index: geneve-ut-0090 ```python event.category:process and event.type:(start or process_started) and @@ -1170,7 +1170,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-091 +Index: geneve-ut-0091 ```python event.category:process and event.type:(start or process_started) and @@ -1185,7 +1185,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 1 Document count: 1 -Index: geneve-ut-092 +Index: geneve-ut-0092 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -1197,7 +1197,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-093 +Index: geneve-ut-0093 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -1209,7 +1209,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-094 +Index: geneve-ut-0094 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -1221,7 +1221,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-095 +Index: geneve-ut-0095 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -1233,7 +1233,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python process where event.type in ("start", "process_started") and @@ -1252,7 +1252,7 @@ process where event.type in ("start", "process_started") and Branch count: 12 Document count: 12 -Index: geneve-ut-097 +Index: geneve-ut-0097 ```python process where event.type in ("start", "process_started") and @@ -1270,7 +1270,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-098 +Index: geneve-ut-0098 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -1282,7 +1282,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-099 +Index: geneve-ut-0099 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -1294,7 +1294,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-100 +Index: geneve-ut-0100 ```python event.category:process and event.type:(start or process_started) and @@ -1307,7 +1307,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 1 Document count: 1 -Index: geneve-ut-101 +Index: geneve-ut-0101 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -1319,7 +1319,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.category:file and not event.type:deletion and @@ -1334,7 +1334,7 @@ event.category:file and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -1348,7 +1348,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-106 +Index: geneve-ut-0106 ```python event.dataset:azure.signinlogs and @@ -1362,7 +1362,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-107 +Index: geneve-ut-0107 ```python event.dataset:azure.signinlogs and @@ -1375,7 +1375,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python event.dataset:azure.signinlogs and @@ -1389,7 +1389,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -1402,7 +1402,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -1414,7 +1414,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -1426,7 +1426,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python event.dataset:azure.activitylogs and @@ -1445,7 +1445,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-113 +Index: geneve-ut-0113 ```python event.dataset:azure.activitylogs and @@ -1459,7 +1459,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python event.dataset:azure.activitylogs and @@ -1477,7 +1477,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -1489,7 +1489,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -1504,7 +1504,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-117 +Index: geneve-ut-0117 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -1516,7 +1516,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -1529,7 +1529,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -1541,7 +1541,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -1553,7 +1553,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -1565,7 +1565,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -1577,7 +1577,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -1589,7 +1589,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -1601,7 +1601,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-128 +Index: geneve-ut-0128 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -1614,7 +1614,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-129 +Index: geneve-ut-0129 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -1627,7 +1627,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-130 +Index: geneve-ut-0130 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -1642,7 +1642,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-131 +Index: geneve-ut-0131 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -1654,7 +1654,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-132 +Index: geneve-ut-0132 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -1666,7 +1666,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-133 +Index: geneve-ut-0133 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -1678,7 +1678,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -1690,7 +1690,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -1702,7 +1702,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -1714,7 +1714,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -1732,7 +1732,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-138 +Index: geneve-ut-0138 ```python process where event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" @@ -1744,7 +1744,7 @@ process where event.type != "end" and process.executable : "/usr/sbin/tc" and pr Branch count: 8 Document count: 8 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python event.category:process and event.type:(start or process_started) and @@ -1757,7 +1757,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 9 Document count: 9 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python event.category:file and event.type:change and @@ -1792,7 +1792,7 @@ event.category:file and event.type:change and Branch count: 4 Document count: 4 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python process where event.type == "start" and @@ -1812,7 +1812,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python process where event.type in ("start", "process_started") and @@ -1830,7 +1830,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python process where event.type == "start" and @@ -1844,7 +1844,7 @@ process where event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python process where event.action == "start" and @@ -1860,7 +1860,7 @@ process where event.action == "start" and Branch count: 15 Document count: 15 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python process where event.type in ("process_started", "start") and @@ -1875,7 +1875,7 @@ process where event.type in ("process_started", "start") and Branch count: 24 Document count: 24 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python process where event.type in ("start", "process_started") and process.name: ("cmd.exe", "powershell.exe") and @@ -1895,7 +1895,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python sequence by process.entity_id @@ -1915,7 +1915,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python process where event.type == "start" and @@ -1932,7 +1932,7 @@ process where event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python registry where @@ -1963,7 +1963,7 @@ registry where Branch count: 30 Document count: 30 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where event.type in ("start", "process_started") and @@ -1979,7 +1979,7 @@ process where event.type in ("start", "process_started") and Branch count: 24 Document count: 24 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python network where network.protocol == "dns" and @@ -2004,7 +2004,7 @@ network where network.protocol == "dns" and Branch count: 27 Document count: 27 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python network where network.protocol == "dns" and @@ -2065,7 +2065,7 @@ network where network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python sequence by process.entity_id @@ -2085,7 +2085,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python sequence by process.entity_id @@ -2105,7 +2105,7 @@ sequence by process.entity_id Branch count: 48 Document count: 48 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python process where event.type in ("start", "process_started") and @@ -2131,7 +2131,7 @@ process where event.type in ("start", "process_started") and Branch count: 5 Document count: 5 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python file where event.type != "deletion" and @@ -2151,7 +2151,7 @@ file where event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python process where event.type in ("start", "process_started") and process.name : "osascript" and @@ -2164,7 +2164,7 @@ process where event.type in ("start", "process_started") and process.name : "osa Branch count: 1 Document count: 1 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python file where event.action : "creation" and file.extension == "so" and file.name : ".*.so" @@ -2176,7 +2176,7 @@ file where event.action : "creation" and file.extension == "so" and file.name : Branch count: 1 Document count: 1 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python registry where registry.path : "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" @@ -2188,7 +2188,7 @@ registry where registry.path : "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\ Branch count: 2 Document count: 2 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python file where event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -2200,7 +2200,7 @@ file where event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_ca Branch count: 8 Document count: 8 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python registry where event.type in ("creation", "change") and @@ -2219,7 +2219,7 @@ registry where event.type in ("creation", "change") and Branch count: 2 Document count: 2 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python file where event.type != "deletion" and @@ -2234,7 +2234,7 @@ file where event.type != "deletion" and Branch count: 8 Document count: 8 -Index: geneve-ut-165 +Index: geneve-ut-0165 ```python process where event.type in ("start", "process_started") and @@ -2249,7 +2249,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2261,7 +2261,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2273,7 +2273,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2285,7 +2285,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2297,7 +2297,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-170 +Index: geneve-ut-0170 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -2309,7 +2309,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-171 +Index: geneve-ut-0171 ```python event.dataset:cyberarkpas.audit and @@ -2324,7 +2324,7 @@ event.dataset:cyberarkpas.audit and Branch count: 4 Document count: 4 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python registry where event.type in ("creation", "change") and @@ -2342,7 +2342,7 @@ registry where event.type in ("creation", "change") and Branch count: 6 Document count: 6 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or @@ -2356,7 +2356,7 @@ event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A4 Branch count: 4 Document count: 4 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python process where event.type in ("start", "process_started") and @@ -2370,7 +2370,7 @@ process where event.type in ("start", "process_started") and Branch count: 4 Document count: 4 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python process where event.type in ("start", "process_started") and @@ -2384,7 +2384,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 2 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python sequence by process.entity_id @@ -2399,7 +2399,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python process where event.type in ("start", "process_started") and @@ -2420,7 +2420,7 @@ process where event.type in ("start", "process_started") and Branch count: 3 Document count: 3 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python process where event.type in ("start", "process_started") and @@ -2435,7 +2435,7 @@ process where event.type in ("start", "process_started") and Branch count: 6 Document count: 6 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python registry where event.type == "change" and @@ -2454,7 +2454,7 @@ registry where event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python process where event.type == "start" and @@ -2468,7 +2468,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -2480,7 +2480,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python event.category:process and event.type:start and @@ -2493,7 +2493,7 @@ event.category:process and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python process where event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -2505,7 +2505,7 @@ process where event.type in ("start", "process_started") and process.args : "dum Branch count: 4 Document count: 8 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python sequence by process.entity_id with maxspan=1m @@ -2519,7 +2519,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -2531,7 +2531,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 199 Document count: 199 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python process where @@ -2559,7 +2559,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python file where event.type != "deletion" and @@ -2572,7 +2572,7 @@ file where event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-189 +Index: geneve-ut-0189 ```python process where event.type == "start" and @@ -2586,7 +2586,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-190 +Index: geneve-ut-0190 ```python registry where @@ -2600,7 +2600,7 @@ registry where Branch count: 64 Document count: 64 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python process where event.type in ("start", "process_started") and @@ -2622,7 +2622,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -2634,7 +2634,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 14 Document count: 14 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python process where event.type in ("start", "process_started") and @@ -2650,7 +2650,7 @@ process where event.type in ("start", "process_started") and Branch count: 44 Document count: 44 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python process where event.type in ("start", "process_started") and @@ -2688,7 +2688,7 @@ process where event.type in ("start", "process_started") and Branch count: 124 Document count: 124 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python process where event.type in ("start", "process_started") and @@ -2711,7 +2711,7 @@ process where event.type in ("start", "process_started") and Branch count: 8 Document count: 8 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python event.category:process and event.type:(start or process_started) and @@ -2724,7 +2724,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 4 Document count: 4 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python iam where event.action == "user-member-enumerated" and @@ -2781,7 +2781,7 @@ iam where event.action == "user-member-enumerated" and Branch count: 46 Document count: 46 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python process where event.type in ("start", "process_started") and @@ -2811,7 +2811,7 @@ process where event.type in ("start", "process_started") and Branch count: 4 Document count: 4 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python process where event.type in ("start", "process_started") and @@ -2830,7 +2830,7 @@ process where event.type in ("start", "process_started") and Branch count: 16 Document count: 32 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python sequence with maxspan=2h @@ -2853,7 +2853,7 @@ sequence with maxspan=2h Branch count: 8 Document count: 16 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python sequence with maxspan=2h @@ -2878,7 +2878,7 @@ sequence with maxspan=2h Branch count: 432 Document count: 1296 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -2907,7 +2907,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python event.category:process and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -2919,7 +2919,7 @@ event.category:process and event.type:(start or process_started) and process.arg Branch count: 2 Document count: 2 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python process where event.type in ("start", "process_started") and @@ -2932,7 +2932,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python process where event.type in ("start", "process_started") and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -2944,7 +2944,7 @@ process where event.type in ("start", "process_started") and process.executable Branch count: 1 Document count: 1 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python file where file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -2956,7 +2956,7 @@ file where file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" Branch count: 24 Document count: 24 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python event.category:process and event.type:(start or process_started) and @@ -2970,7 +2970,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -2982,7 +2982,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -2994,7 +2994,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python process where event.type in ("start", "process_started") and @@ -3007,7 +3007,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python event.kind:alert and not event.module:(endgame or endpoint) @@ -3019,7 +3019,7 @@ event.kind:alert and not event.module:(endgame or endpoint) Branch count: 19 Document count: 19 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python network where network.protocol == "dns" and @@ -3070,7 +3070,7 @@ network where network.protocol == "dns" and Branch count: 8 Document count: 8 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python event.category:process and event.type:(start or process_started) and process.name:shred and @@ -3083,7 +3083,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 24 Document count: 24 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python event.category:process and event.type:(start or process_started) and @@ -3098,7 +3098,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-217 +Index: geneve-ut-0217 ```python process where event.type == "start" and user.name == "root" and process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and not process.parent.executable: "/lib/systemd/systemd" @@ -3110,7 +3110,7 @@ process where event.type == "start" and user.name == "root" and process.executab Branch count: 4 Document count: 8 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python sequence by host.id, user.id with maxspan = 5s @@ -3136,7 +3136,7 @@ sequence by host.id, user.id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -3148,7 +3148,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -3160,7 +3160,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-221 +Index: geneve-ut-0221 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -3172,7 +3172,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -3184,7 +3184,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -3196,7 +3196,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -3208,7 +3208,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 8 Document count: 8 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or @@ -3223,7 +3223,7 @@ not gcp.audit.authentication_info.principal_email:"system:addon-manager" Branch count: 1 Document count: 1 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -3235,7 +3235,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -3247,7 +3247,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -3259,7 +3259,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-229 +Index: geneve-ut-0229 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -3271,7 +3271,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -3283,7 +3283,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-231 +Index: geneve-ut-0231 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -3295,7 +3295,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -3307,7 +3307,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -3319,7 +3319,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -3331,7 +3331,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -3343,7 +3343,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -3355,7 +3355,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-237 +Index: geneve-ut-0237 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -3367,7 +3367,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -3379,7 +3379,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -3391,7 +3391,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -3403,7 +3403,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -3415,7 +3415,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -3427,7 +3427,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS @@ -3439,7 +3439,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE @@ -3451,7 +3451,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -3463,7 +3463,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-246 +Index: geneve-ut-0246 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -3475,7 +3475,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -3489,7 +3489,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 12 Document count: 12 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -3510,7 +3510,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -3522,7 +3522,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 12 Document count: 12 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python any where @@ -3549,7 +3549,7 @@ any where Branch count: 6 Document count: 6 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3) @@ -3561,7 +3561,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 4 Document count: 4 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python process where event.type in ("start", "process_started") and @@ -3576,7 +3576,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python event.category:(network or network_traffic) and network.transport:udp and destination.port:4500 @@ -3588,7 +3588,7 @@ event.category:(network or network_traffic) and network.transport:udp and destin Branch count: 16 Document count: 16 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python process where event.type in ("start", "process_started") and @@ -3605,7 +3605,7 @@ process where event.type in ("start", "process_started") and Branch count: 4 Document count: 8 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python sequence with maxspan=1m @@ -3624,7 +3624,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-263 +Index: geneve-ut-0263 ```python sequence by host.id with maxspan=1m @@ -3642,7 +3642,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python sequence by host.id with maxspan=5s @@ -3661,7 +3661,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-265 +Index: geneve-ut-0265 ```python sequence by host.id with maxspan = 30s @@ -3677,7 +3677,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python sequence by host.id with maxspan=30s @@ -3693,7 +3693,7 @@ sequence by host.id with maxspan=30s Branch count: 4 Document count: 8 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -3709,7 +3709,7 @@ sequence by process.entity_id Branch count: 8 Document count: 16 -Index: geneve-ut-268 +Index: geneve-ut-0268 ```python sequence by process.entity_id with maxspan = 5m @@ -3725,7 +3725,7 @@ sequence by process.entity_id with maxspan = 5m Branch count: 2 Document count: 2 -Index: geneve-ut-269 +Index: geneve-ut-0269 ```python registry where @@ -3740,7 +3740,7 @@ registry where Branch count: 6 Document count: 6 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python event.category:process and event.type:(start or process_started) and process.name:perl and @@ -3753,7 +3753,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 6 Document count: 6 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python event.category:process and event.type:(start or process_started) and @@ -3769,7 +3769,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 1 Document count: 1 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python event.action:modified-user-account and event.code:4738 and winlog.event_data.AllowedToDelegateTo:*krbtgt* @@ -3781,7 +3781,7 @@ event.action:modified-user-account and event.code:4738 and winlog.event_data.All Branch count: 2 Document count: 2 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python event.category:process and event.type:(start or process_started) and @@ -3795,7 +3795,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python network where event.type == "start" and network.direction : ("outgoing", "egress") and @@ -3820,7 +3820,7 @@ network where event.type == "start" and network.direction : ("outgoing", "egress Branch count: 6 Document count: 6 -Index: geneve-ut-276 +Index: geneve-ut-0276 ```python event.category:process and event.type:(start or process_started) and @@ -3833,7 +3833,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 1 Document count: 1 -Index: geneve-ut-277 +Index: geneve-ut-0277 ```python process where event.type == "start" and process.executable : "/usr/sbin/insmod" and process.args : "*.ko" @@ -3845,7 +3845,7 @@ process where event.type == "start" and process.executable : "/usr/sbin/insmod" Branch count: 16 Document count: 16 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python process where event.type == "start" and @@ -3860,7 +3860,7 @@ process where event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-279 +Index: geneve-ut-0279 ```python kubernetes.audit.objectRef.resource:"services" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.type:"NodePort" @@ -3872,7 +3872,7 @@ kubernetes.audit.objectRef.resource:"services" and kubernetes.audit.verb:("creat Branch count: 3 Document count: 3 -Index: geneve-ut-280 +Index: geneve-ut-0280 ```python kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostIPC:true @@ -3884,7 +3884,7 @@ kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" o Branch count: 3 Document count: 3 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostNetwork:true @@ -3896,7 +3896,7 @@ kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" o Branch count: 3 Document count: 3 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostPID:true @@ -3908,7 +3908,7 @@ kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" o Branch count: 42 Document count: 42 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python kubernetes.audit.objectRef.resource:"pods" @@ -3922,7 +3922,7 @@ kubernetes.audit.objectRef.resource:"pods" Branch count: 1 Document count: 1 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:create and @@ -3935,7 +3935,7 @@ kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:create and Branch count: 6 Document count: 6 -Index: geneve-ut-285 +Index: geneve-ut-0285 ```python kubernetes.audit.verb:"create" @@ -3949,7 +3949,7 @@ and kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:* Branch count: 1 Document count: 1 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python kubernetes.audit.objectRef.resource:"pods" @@ -3962,7 +3962,7 @@ kubernetes.audit.objectRef.resource:"pods" Branch count: 20 Document count: 20 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python file where file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdmp", "Coredump.dmp") and @@ -3981,7 +3981,7 @@ file where file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdm Branch count: 18 Document count: 18 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python any where event.action == "File System" and event.code == "4656" and @@ -4015,7 +4015,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 8 Document count: 8 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python file where event.type in ("creation", "change") and @@ -4033,7 +4033,7 @@ file where event.type in ("creation", "change") and Branch count: 6 Document count: 12 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python sequence by host.id with maxspan=1m @@ -4049,7 +4049,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python sequence by host.id with maxspan=1m @@ -4063,7 +4063,7 @@ sequence by host.id with maxspan=1m Branch count: 79 Document count: 79 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python process where event.type == "start" and @@ -4109,7 +4109,7 @@ process where event.type == "start" and Branch count: 600 Document count: 1200 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python sequence with maxspan=1m @@ -4134,7 +4134,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -4146,7 +4146,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 12 Document count: 12 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python registry where event.type == "change" and @@ -4164,7 +4164,7 @@ registry where event.type == "change" and Branch count: 48 Document count: 96 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python sequence by host.id, user.id with maxspan=30s @@ -4178,7 +4178,7 @@ sequence by host.id, user.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -4190,7 +4190,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -4202,7 +4202,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -4214,7 +4214,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-300 +Index: geneve-ut-0300 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -4226,7 +4226,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -4238,7 +4238,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-302 +Index: geneve-ut-0302 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -4250,7 +4250,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-303 +Index: geneve-ut-0303 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -4262,7 +4262,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-304 +Index: geneve-ut-0304 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -4274,7 +4274,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -4286,7 +4286,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -4298,7 +4298,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -4310,7 +4310,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-308 +Index: geneve-ut-0308 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -4322,7 +4322,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -4334,7 +4334,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -4347,7 +4347,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 3 Document count: 3 -Index: geneve-ut-311 +Index: geneve-ut-0311 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -4366,7 +4366,7 @@ event.category:web and event.action:"New-InboxRule" and Branch count: 1 Document count: 1 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -4378,7 +4378,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -4393,7 +4393,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -4407,7 +4407,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -4421,7 +4421,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -4433,7 +4433,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-317 +Index: geneve-ut-0317 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -4445,7 +4445,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 6 Document count: 6 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python process where event.type in ("start", "process_started") and @@ -4459,7 +4459,7 @@ process where event.type in ("start", "process_started") and Branch count: 14 Document count: 14 -Index: geneve-ut-319 +Index: geneve-ut-0319 ```python process where event.type == "start" and @@ -4473,7 +4473,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python process where event.type in ("start", "process_started") and @@ -4487,7 +4487,7 @@ process where event.type in ("start", "process_started") and Branch count: 16 Document count: 16 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python process where event.type in ("start", "process_started") and @@ -4508,7 +4508,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python process where event.type in ("start", "process_started") and @@ -4522,7 +4522,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python process where event.type == "start" and @@ -4541,7 +4541,7 @@ process where event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python file where event.type == "creation" and @@ -4566,7 +4566,7 @@ file where event.type == "creation" and Branch count: 8 Document count: 8 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python process where event.type == "start" and @@ -4581,7 +4581,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python process where event.type in ("start", "process_started") and @@ -4595,7 +4595,7 @@ process where event.type in ("start", "process_started") and Branch count: 4 Document count: 4 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python process where event.type in ("start", "process_started") and @@ -4609,7 +4609,7 @@ process where event.type in ("start", "process_started") and Branch count: 30 Document count: 30 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python registry where event.type in ("creation", "change") and @@ -4649,7 +4649,7 @@ registry where event.type in ("creation", "change") and Branch count: 1 Document count: 1 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python file where file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -4661,7 +4661,7 @@ file where file.name : "mimilsa.log" and process.name : "lsass.exe" Branch count: 8 Document count: 8 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python registry where event.type in ("creation", "change") and @@ -4678,7 +4678,7 @@ registry where event.type in ("creation", "change") and Branch count: 8 Document count: 8 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python process where event.type in ("start", "process_started") and @@ -4695,7 +4695,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-332 +Index: geneve-ut-0332 ```python event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload @@ -4707,7 +4707,7 @@ event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload Branch count: 1 Document count: 1 -Index: geneve-ut-333 +Index: geneve-ut-0333 ```python event.category:process and event.type:start and @@ -4733,7 +4733,7 @@ event.category:process and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-334 +Index: geneve-ut-0334 ```python event.category:file and event.type:change and @@ -4748,7 +4748,7 @@ event.category:file and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python event.category:process and event.type:start and @@ -4770,7 +4770,7 @@ event.category:process and event.type:start and Branch count: 3 Document count: 3 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python event.category:file and event.type:change and @@ -4810,7 +4810,7 @@ event.category:file and event.type:change and Branch count: 8 Document count: 8 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python registry where event.type : ("creation", "change") and @@ -4826,7 +4826,7 @@ registry where event.type : ("creation", "change") and Branch count: 2 Document count: 2 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -4838,7 +4838,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 24 Document count: 24 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python process where event.type in ("start", "process_started") and @@ -4857,7 +4857,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 2 -Index: geneve-ut-340 +Index: geneve-ut-0340 ```python sequence by process.entity_id @@ -4872,7 +4872,7 @@ sequence by process.entity_id Branch count: 2 Document count: 4 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python sequence by process.entity_id with maxspan=10m @@ -4890,7 +4890,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -4902,7 +4902,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 168 Document count: 168 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python process where event.type in ("start", "process_started") and @@ -4921,7 +4921,7 @@ process where event.type in ("start", "process_started") and Branch count: 25 Document count: 50 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python sequence by process.entity_id @@ -4938,7 +4938,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python sequence by process.entity_id @@ -4958,7 +4958,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python sequence by process.entity_id @@ -4977,7 +4977,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-347 +Index: geneve-ut-0347 ```python sequence by process.entity_id @@ -4996,7 +4996,7 @@ sequence by process.entity_id Branch count: 18 Document count: 36 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python sequence by process.entity_id @@ -5021,7 +5021,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-349 +Index: geneve-ut-0349 ```python sequence by process.entity_id @@ -5043,7 +5043,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-350 +Index: geneve-ut-0350 ```python registry where registry.data.strings != null and @@ -5063,7 +5063,7 @@ registry where registry.data.strings != null and Branch count: 6 Document count: 6 -Index: geneve-ut-352 +Index: geneve-ut-0352 ```python process where event.type in ("start", "process_started") and @@ -5076,7 +5076,7 @@ process where event.type in ("start", "process_started") and Branch count: 6 Document count: 6 -Index: geneve-ut-353 +Index: geneve-ut-0353 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -5090,7 +5090,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-354 +Index: geneve-ut-0354 ```python event.category:process and event.type:(start or process_started) and process.name:nping @@ -5102,7 +5102,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 1 Document count: 1 -Index: geneve-ut-355 +Index: geneve-ut-0355 ```python registry where @@ -5116,7 +5116,7 @@ registry.data.strings != null Branch count: 1 Document count: 1 -Index: geneve-ut-356 +Index: geneve-ut-0356 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -5128,7 +5128,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-358 +Index: geneve-ut-0358 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -5142,7 +5142,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-359 +Index: geneve-ut-0359 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -5154,7 +5154,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-361 +Index: geneve-ut-0361 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -5166,7 +5166,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-362 +Index: geneve-ut-0362 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -5178,7 +5178,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 36 Document count: 72 -Index: geneve-ut-363 +Index: geneve-ut-0363 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -5193,7 +5193,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 4 Document count: 4 -Index: geneve-ut-365 +Index: geneve-ut-0365 ```python process where event.type in ("start", "process_started") and @@ -5207,7 +5207,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-366 +Index: geneve-ut-0366 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -5219,7 +5219,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-367 +Index: geneve-ut-0367 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -5231,7 +5231,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-368 +Index: geneve-ut-0368 ```python process where event.type == "start" and @@ -5249,7 +5249,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python event.category:file and not event.type:deletion and @@ -5262,7 +5262,7 @@ event.category:file and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python event.category : file and event.action : modification and @@ -5276,7 +5276,7 @@ event.category : file and event.action : modification and Branch count: 66 Document count: 132 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python sequence by host.id with maxspan=5s @@ -5292,7 +5292,7 @@ sequence by host.id with maxspan=5s Branch count: 7 Document count: 7 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python /* Registry Path ends with backslash */ @@ -5312,7 +5312,7 @@ registry where /* length(registry.data.strings) > 0 and */ Branch count: 32 Document count: 32 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python file where event.type != "deletion" and @@ -5337,7 +5337,7 @@ file where event.type != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python file where event.type != "deletion" and @@ -5356,7 +5356,7 @@ file where event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python file where event.type != "deletion" and @@ -5369,7 +5369,7 @@ file where event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python file where event.type != "deletion" and @@ -5382,7 +5382,7 @@ file where event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python process where event.type in ("start", "process_started") and @@ -5401,7 +5401,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python process where event.type == "start" and @@ -5428,7 +5428,7 @@ process where event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python process where event.type in ("start", "process_started") and @@ -5443,7 +5443,7 @@ process where event.type in ("start", "process_started") and Branch count: 24 Document count: 24 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python registry where @@ -5482,7 +5482,7 @@ registry where Branch count: 7 Document count: 7 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python file where event.type != "deletion" and user.domain != "NT AUTHORITY" and @@ -5505,7 +5505,7 @@ file where event.type != "deletion" and user.domain != "NT AUTHORITY" and Branch count: 1 Document count: 1 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" @@ -5517,7 +5517,7 @@ registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\ Branch count: 18 Document count: 18 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -5535,7 +5535,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -5547,7 +5547,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 1 Document count: 3 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python sequence by user.email with maxspan=10m @@ -5562,7 +5562,7 @@ sequence by user.email with maxspan=10m Branch count: 16 Document count: 16 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.category:process and event.type:(start or process_started) and @@ -5575,7 +5575,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python process where event.type in ("start", "process_started") and process.name : "sdbinst.exe" @@ -5587,7 +5587,7 @@ process where event.type in ("start", "process_started") and process.name : "sdb Branch count: 2 Document count: 6 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python sequence by host.id, user.name with maxspan = 5s @@ -5616,7 +5616,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 63 Document count: 63 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python process where event.type in ("start", "process_started", "info") and @@ -5640,7 +5640,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 6 Document count: 6 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python any where event.action == "Directory Service Access" and @@ -5670,7 +5670,7 @@ any where event.action == "Directory Service Access" and Branch count: 1 Document count: 1 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python process where event.code == "10" and @@ -5688,7 +5688,7 @@ process where event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python process where event.code == "10" and @@ -5707,7 +5707,7 @@ process where event.code == "10" and Branch count: 2 Document count: 4 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python sequence by process.entity_id with maxspan=1m @@ -5725,7 +5725,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python sequence by process.entity_id @@ -5740,7 +5740,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python process where event.type == "start" and @@ -5759,7 +5759,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python process where event.type == "start" and @@ -5780,7 +5780,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined) @@ -5792,7 +5792,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 2 Document count: 2 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0 @@ -5804,7 +5804,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 2 Document count: 2 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python process where event.type in ("start", "process_started") and @@ -5817,7 +5817,7 @@ process where event.type in ("start", "process_started") and Branch count: 6 Document count: 6 -Index: geneve-ut-404 +Index: geneve-ut-0404 ```python event.category:process and event.type:(start or process_started) and @@ -5830,7 +5830,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 60 Document count: 120 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python sequence by host.id with maxspan=1m @@ -5866,7 +5866,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python event.category:process and event.type:start and @@ -5879,7 +5879,7 @@ event.category:process and event.type:start and Branch count: 1 Document count: 1 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python registry where event.type == "change" and @@ -5894,7 +5894,7 @@ registry where event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python process where event.code:"4688" and @@ -5908,7 +5908,7 @@ process where event.code:"4688" and Branch count: 16 Document count: 32 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python sequence by host.id with maxspan=30s @@ -5926,7 +5926,7 @@ sequence by host.id with maxspan=30s Branch count: 12 Document count: 12 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python process where event.type in ("start", "process_started") and @@ -5945,7 +5945,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python event.category:file and not event.type:deletion and file.name:~$*.zip and host.os.type:macos @@ -5957,7 +5957,7 @@ event.category:file and not event.type:deletion and file.name:~$*.zip and host.o Branch count: 48 Document count: 48 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python process where event.type in ("start", "process_started", "info") and @@ -5997,7 +5997,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 84 Document count: 84 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python file where event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -6037,7 +6037,7 @@ file where event.type == "change" and process.executable : ("/usr/sbin/sshd", "/ Branch count: 1 Document count: 1 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python event.category:"file" and not event.type:"deletion" and @@ -6050,7 +6050,7 @@ event.category:"file" and not event.type:"deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python event.category:"file" and not event.type:"deletion" and @@ -6065,7 +6065,7 @@ event.category:"file" and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python event.category:"file" and not event.type:"deletion" and @@ -6078,7 +6078,7 @@ event.category:"file" and not event.type:"deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python registry where event.type:"change" and @@ -6092,7 +6092,7 @@ registry where event.type:"change" and Branch count: 4 Document count: 4 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python registry where event.type in ("creation", "change") and @@ -6109,7 +6109,7 @@ registry where event.type in ("creation", "change") and Branch count: 4 Document count: 4 -Index: geneve-ut-422 +Index: geneve-ut-0422 ```python process where event.type in ("start", "process_started") and @@ -6125,7 +6125,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python process where event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -6139,7 +6139,7 @@ process where event.type in ("start", "process_started") and process.name : "sql Branch count: 8 Document count: 8 -Index: geneve-ut-424 +Index: geneve-ut-0424 ```python /* This rule is compatible with both Sysmon and Elastic Endpoint */ @@ -6162,7 +6162,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python file where file.path : "/*GCONV_PATH*" @@ -6174,7 +6174,7 @@ file where file.path : "/*GCONV_PATH*" Branch count: 1 Document count: 1 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -6186,7 +6186,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-427 +Index: geneve-ut-0427 ```python iam where event.action == "renamed-user-account" and @@ -6200,7 +6200,7 @@ iam where event.action == "renamed-user-account" and Branch count: 1 Document count: 2 -Index: geneve-ut-428 +Index: geneve-ut-0428 ```python sequence with maxspan=5s @@ -6214,7 +6214,7 @@ sequence with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-430 +Index: geneve-ut-0430 ```python process where event.type == "start" and @@ -6227,7 +6227,7 @@ process where event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-431 +Index: geneve-ut-0431 ```python sequence by host.id, user.id with maxspan=1m @@ -6251,7 +6251,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 4 Document count: 4 -Index: geneve-ut-432 +Index: geneve-ut-0432 ```python /* Identifies the modification of RDP Shadow registry or @@ -6273,7 +6273,7 @@ any where Branch count: 10 Document count: 10 -Index: geneve-ut-433 +Index: geneve-ut-0433 ```python process where event.type in ("start", "process_started") and @@ -6288,7 +6288,7 @@ process where event.type in ("start", "process_started") and Branch count: 80 Document count: 80 -Index: geneve-ut-434 +Index: geneve-ut-0434 ```python process where event.type in ("start", "process_started") and @@ -6307,7 +6307,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python file where event.type == "change" and file.name : "*AAA.AAA" @@ -6319,7 +6319,7 @@ file where event.type == "change" and file.name : "*AAA.AAA" Branch count: 1 Document count: 1 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python event.action:"Directory Service Changes" and event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" @@ -6331,7 +6331,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and winlog.event_ Branch count: 64 Document count: 192 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -6359,7 +6359,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 16 -Index: geneve-ut-440 +Index: geneve-ut-0440 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -6375,7 +6375,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-441 +Index: geneve-ut-0441 ```python event.category:process and @@ -6390,7 +6390,7 @@ event.category:process and Branch count: 3 Document count: 3 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) @@ -6402,7 +6402,7 @@ event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump Branch count: 9 Document count: 9 -Index: geneve-ut-444 +Index: geneve-ut-0444 ```python event.category:process and @@ -6425,7 +6425,7 @@ event.category:process and Branch count: 2 Document count: 2 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python registry where event.type == "change" and @@ -6440,7 +6440,7 @@ registry where event.type == "change" and Branch count: 11 Document count: 11 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python event.category:process and @@ -6465,7 +6465,7 @@ event.category:process and Branch count: 4 Document count: 4 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python process where event.type in ("start", "process_started") and @@ -6479,7 +6479,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-451 +Index: geneve-ut-0451 ```python file where event.action : "Pipe Created*" and @@ -6493,7 +6493,7 @@ file where event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python event.category:file and not event.type:deletion and @@ -6506,7 +6506,7 @@ event.category:file and not event.type:deletion and Branch count: 2 Document count: 2 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python registry where registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USERS\\*\\Environment\\systemroot") and @@ -6519,7 +6519,7 @@ registry where registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USER Branch count: 14 Document count: 14 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python process where event.type in ("start", "process_started") and @@ -6533,7 +6533,7 @@ process where event.type in ("start", "process_started") and Branch count: 198 Document count: 198 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python process where event.type in ("start", "process_started", "info") and @@ -6571,7 +6571,7 @@ process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Wind Branch count: 2 Document count: 2 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -6583,7 +6583,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -6595,7 +6595,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-458 +Index: geneve-ut-0458 ```python process.name:MSBuild.exe and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" @@ -6607,7 +6607,7 @@ process.name:MSBuild.exe and event.action:"CreateRemoteThread detected (rule: Cr Branch count: 3 Document count: 6 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python sequence by host.id with maxspan=5s @@ -6631,7 +6631,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python process where event.type == "start" and @@ -6645,7 +6645,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python process where event.type in ("start", "process_started") and process.name : "osascript" and @@ -6658,7 +6658,7 @@ process where event.type in ("start", "process_started") and process.name : "osa Branch count: 1 Document count: 2 -Index: geneve-ut-463 +Index: geneve-ut-0463 ```python sequence by process.entity_id @@ -6682,7 +6682,7 @@ sequence by process.entity_id Branch count: 12 Document count: 12 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and @@ -6727,7 +6727,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 8 Document count: 8 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python registry where event.type in ("creation", "change") and @@ -6742,7 +6742,7 @@ registry where event.type in ("creation", "change") and Branch count: 12 Document count: 12 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and @@ -6787,7 +6787,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 12 Document count: 12 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and @@ -6832,7 +6832,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 2 Document count: 2 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -6844,7 +6844,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -6856,7 +6856,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python registry where @@ -6870,7 +6870,7 @@ registry where Branch count: 2 Document count: 2 -Index: geneve-ut-473 +Index: geneve-ut-0473 ```python registry where @@ -6888,7 +6888,7 @@ registry where Branch count: 1 Document count: 2 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python sequence by host.id with maxspan=5m @@ -6910,7 +6910,7 @@ sequence by host.id with maxspan=5m Branch count: 36 Document count: 36 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python process where event.type in ("start", "process_started") and @@ -6925,7 +6925,7 @@ process where event.type in ("start", "process_started") and Branch count: 4 Document count: 8 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python sequence with maxspan=1m @@ -6939,7 +6939,7 @@ sequence with maxspan=1m Branch count: 32 Document count: 32 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python process where event.type in ("start", "process_started") and @@ -6953,7 +6953,7 @@ process where event.type in ("start", "process_started") and Branch count: 11 Document count: 11 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python file where event.type == "creation" and process.name : "TeamViewer.exe" and @@ -6966,7 +6966,7 @@ file where event.type == "creation" and process.name : "TeamViewer.exe" and Branch count: 4 Document count: 4 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python process where event.type in ("start", "process_started") and @@ -6980,7 +6980,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python process where event.type == "start" and @@ -6994,7 +6994,7 @@ process where event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -7011,7 +7011,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python sequence by host.id, process.entity_id @@ -7027,7 +7027,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python event.category:process and event.type:(start or process_started) and @@ -7042,7 +7042,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 4 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -7061,7 +7061,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 6 Document count: 6 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python process where event.type in ("start", "process_started") and @@ -7075,7 +7075,7 @@ process where event.type in ("start", "process_started") and Branch count: 16 Document count: 32 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python sequence with maxspan=1s @@ -7122,7 +7122,7 @@ sequence with maxspan=1s Branch count: 3 Document count: 3 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python process where event.type in ("start", "process_started", "info") and @@ -7135,7 +7135,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 24 Document count: 24 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python event.category:(network or network_traffic) and network.protocol:http and @@ -7181,7 +7181,7 @@ event.category:(network or network_traffic) and network.protocol:http and Branch count: 4 Document count: 4 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python registry where event.type:"change" and @@ -7200,7 +7200,7 @@ registry where event.type:"change" and Branch count: 18 Document count: 18 -Index: geneve-ut-490 +Index: geneve-ut-0490 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and @@ -7245,7 +7245,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 4 Document count: 4 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26)) @@ -7257,7 +7257,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 4 Document count: 4 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python event.category:file and event.type:(change or creation) and @@ -7282,7 +7282,7 @@ event.category:file and event.type:(change or creation) and Branch count: 20 Document count: 40 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python sequence by host.id with maxspan = 30s @@ -7298,7 +7298,7 @@ sequence by host.id with maxspan = 30s Branch count: 2 Document count: 2 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python registry where @@ -7312,7 +7312,7 @@ registry where Branch count: 3 Document count: 3 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python file where event.type != "deletion" and @@ -7337,7 +7337,7 @@ file where event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-498 +Index: geneve-ut-0498 ```python process where event.type in ("start", "process_started") and @@ -7351,7 +7351,7 @@ process where event.type in ("start", "process_started") and Branch count: 4 Document count: 4 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python process where event.type in ("start", "process_started") and @@ -7365,7 +7365,7 @@ process where event.type in ("start", "process_started") and Branch count: 58 Document count: 58 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python process where event.type == "start" and @@ -7411,7 +7411,7 @@ process.name : "grep" and user.id != "0" and Branch count: 135 Document count: 135 -Index: geneve-ut-501 +Index: geneve-ut-0501 ```python event.category:process and event.type:start and @@ -7454,7 +7454,7 @@ event.category:process and event.type:start and Branch count: 1 Document count: 1 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python event.action: "Authorization Policy Change" and event.code:4704 and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege" @@ -7466,7 +7466,7 @@ event.action: "Authorization Policy Change" and event.code:4704 and winlog.event Branch count: 32 Document count: 64 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python sequence by process.entity_id with maxspan = 1m @@ -7483,7 +7483,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -7503,7 +7503,7 @@ process where event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python sequence by host.id with maxspan=5m @@ -7527,7 +7527,7 @@ sequence by host.id with maxspan=5m Branch count: 1 Document count: 1 -Index: geneve-ut-507 +Index: geneve-ut-0507 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -7539,7 +7539,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 6 Document count: 12 -Index: geneve-ut-508 +Index: geneve-ut-0508 ```python sequence by host.id with maxspan=5s @@ -7553,7 +7553,7 @@ sequence by host.id with maxspan=5s Branch count: 2 Document count: 2 -Index: geneve-ut-509 +Index: geneve-ut-0509 ```python process where event.type in ("start","process_started") @@ -7567,7 +7567,7 @@ process where event.type in ("start","process_started") Branch count: 4 Document count: 4 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python event.category:process and event.type:(start or process_started) and @@ -7581,7 +7581,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 14 Document count: 14 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start" and @@ -7602,7 +7602,7 @@ registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start" Branch count: 24 Document count: 48 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -7627,7 +7627,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python file where event.type != "deletion" and @@ -7660,7 +7660,7 @@ file where event.type != "deletion" and Branch count: 60 Document count: 60 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python registry where registry.data.strings != null and @@ -7695,7 +7695,7 @@ registry where registry.data.strings != null and Branch count: 4 Document count: 4 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python file where event.type in ("change", "creation") and file.extension : "py" and @@ -7720,7 +7720,7 @@ file where event.type in ("change", "creation") and file.extension : "py" and Branch count: 2 Document count: 2 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) @@ -7732,7 +7732,7 @@ event.category:file and event.type:change and file.path:(/etc/sudoers* or /priva Branch count: 32 Document count: 32 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python process where event.type in ("start", "process_started") and @@ -7746,7 +7746,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python event.category:process and @@ -7762,7 +7762,7 @@ event.category:process and Branch count: 1 Document count: 1 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -7774,7 +7774,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 2 Document count: 4 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python sequence by host.id with maxspan=30s @@ -7788,7 +7788,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-530 +Index: geneve-ut-0530 ```python process where event.type in ("start", "process_started") and @@ -7816,7 +7816,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-531 +Index: geneve-ut-0531 ```python event.category:file and event.action:modification and @@ -7840,7 +7840,7 @@ event.category:file and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python process where event.type == "start" and @@ -7854,7 +7854,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python event.category:process and event.type:(start or process_started) and @@ -7876,7 +7876,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 4 Document count: 4 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python process where event.type in ("start", "process_started") and @@ -7890,7 +7890,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python file where event.type != "deletion" and process.name != null and @@ -7903,7 +7903,7 @@ file where event.type != "deletion" and process.name != null and Branch count: 90 Document count: 90 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python any where @@ -7929,7 +7929,7 @@ any where Branch count: 44 Document count: 44 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python process where event.type in ("start", "process_started") and @@ -7965,7 +7965,7 @@ process where event.type in ("start", "process_started") and Branch count: 6 Document count: 6 -Index: geneve-ut-538 +Index: geneve-ut-0538 ```python process where event.type in ("start", "process_started", "info") and @@ -7984,7 +7984,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 8 Document count: 8 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python process where event.type == "start" and process.executable : "C:\\*" and @@ -8000,7 +8000,7 @@ process where event.type == "start" and process.executable : "C:\\*" and Branch count: 128 Document count: 128 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python process where event.type == "start" and @@ -8044,7 +8044,7 @@ process where event.type == "start" and Branch count: 28 Document count: 28 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python process where event.type in ("start", "process_started") and @@ -8068,7 +8068,7 @@ process where event.type in ("start", "process_started") and Branch count: 5 Document count: 5 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python file where event.action == "creation" and user.name == "root" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd") @@ -8080,7 +8080,7 @@ file where event.action == "creation" and user.name == "root" and file.path : (" Branch count: 2 Document count: 2 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python event.category:process and event.type:(start or process_started) and @@ -8093,7 +8093,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 20 Document count: 20 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python any where @@ -8108,7 +8108,7 @@ any where Branch count: 2 Document count: 2 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python registry where registry.path : "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath" and @@ -8122,7 +8122,7 @@ registry where registry.path : "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePat Branch count: 16 Document count: 16 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python process where event.type in ("start", "process_started") and @@ -8136,7 +8136,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python process where event.code == "10" and @@ -8155,7 +8155,7 @@ process where event.code == "10" and Branch count: 912 Document count: 912 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python process where event.type in ("start", "process_started") and @@ -8175,7 +8175,7 @@ process where event.type in ("start", "process_started") and Branch count: 104 Document count: 104 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python process where event.type in ("start", "process_started") and @@ -8196,7 +8196,7 @@ process where event.type in ("start", "process_started") and Branch count: 64 Document count: 128 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python sequence by process.entity_id with maxspan=5m @@ -8219,7 +8219,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 1 Document count: 2 -Index: geneve-ut-554 +Index: geneve-ut-0554 ```python sequence by process.entity_id with maxspan=1m @@ -8235,7 +8235,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 424 Document count: 424 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python process where event.type in ("start", "process_started") and @@ -8259,7 +8259,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python event.category:process and @@ -8274,7 +8274,7 @@ event.category:process and Branch count: 1 Document count: 1 -Index: geneve-ut-559 +Index: geneve-ut-0559 ```python file where event.type : "deletion" and @@ -8288,7 +8288,7 @@ file where event.type : "deletion" and Branch count: 1 Document count: 2 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python sequence by host.id with maxspan=30s @@ -8306,7 +8306,7 @@ sequence by host.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python file where event.type != "deletion" and @@ -8326,7 +8326,7 @@ file where event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python file where event.type != "deletion" and process.name : "spoolsv.exe" and @@ -8340,7 +8340,7 @@ file where event.type != "deletion" and process.name : "spoolsv.exe" and Branch count: 3 Document count: 3 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python process where event.type in ("start", "process_started", "info") and @@ -8353,7 +8353,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 2 Document count: 2 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python process where event.type in ("start", "process_started") and @@ -8367,7 +8367,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 32 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and @@ -8394,7 +8394,7 @@ any where (event.category == "library" or (event.category == "process" and event Branch count: 1 Document count: 2 -Index: geneve-ut-568 +Index: geneve-ut-0568 ```python sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m @@ -8412,7 +8412,7 @@ sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python sequence by process.entity_id with maxspan=2m @@ -8446,7 +8446,7 @@ sequence by process.entity_id with maxspan=2m Branch count: 4 Document count: 4 -Index: geneve-ut-570 +Index: geneve-ut-0570 ```python process where event.type in ("start", "process_started") and @@ -8468,7 +8468,7 @@ process where event.type in ("start", "process_started") and Branch count: 4 Document count: 4 -Index: geneve-ut-571 +Index: geneve-ut-0571 ```python registry where @@ -8494,7 +8494,7 @@ registry where Branch count: 20 Document count: 20 -Index: geneve-ut-572 +Index: geneve-ut-0572 ```python any where @@ -8509,7 +8509,7 @@ any where Branch count: 96 Document count: 192 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python sequence by process.entity_id with maxspan = 2m @@ -8527,7 +8527,7 @@ sequence by process.entity_id with maxspan = 2m Branch count: 2 Document count: 2 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python process where event.type in ("start", "process_started") and @@ -8553,7 +8553,7 @@ process where event.type in ("start", "process_started") and Branch count: 12 Document count: 12 -Index: geneve-ut-575 +Index: geneve-ut-0575 ```python process where event.type in ("start", "process_started", "info") and @@ -8566,7 +8566,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 114 Document count: 114 -Index: geneve-ut-576 +Index: geneve-ut-0576 ```python process where event.type in ("start", "process_started") and @@ -8612,7 +8612,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-577 +Index: geneve-ut-0577 ```python process where event.type == "start" and @@ -8632,7 +8632,7 @@ process where event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python file where event.type == "deletion" and @@ -8657,7 +8657,7 @@ file where event.type == "deletion" and Branch count: 8 Document count: 8 -Index: geneve-ut-580 +Index: geneve-ut-0580 ```python process where event.type in ("start", "process_started") and @@ -8674,7 +8674,7 @@ process where event.type in ("start", "process_started") and Branch count: 4 Document count: 4 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python event.category:process and event.type:(start or process_started) and @@ -8687,7 +8687,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python event.category : process and event.type : (start or process_started) and process.name : mount_apfs and @@ -8700,7 +8700,7 @@ event.category : process and event.type : (start or process_started) and process Branch count: 90 Document count: 90 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python process where event.type in ("start", "process_started") and @@ -8723,7 +8723,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python event.category:(network or network_traffic) and network.transport:tcp and destination.port:23 @@ -8735,7 +8735,7 @@ event.category:(network or network_traffic) and network.transport:tcp and destin Branch count: 4 Document count: 4 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python file where event.type == "deletion" and @@ -8759,7 +8759,7 @@ file where event.type == "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python event.dataset:okta.system and event.action:security.threat.detected @@ -8771,7 +8771,7 @@ event.dataset:okta.system and event.action:security.threat.detected Branch count: 4 Document count: 4 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python process where event.type == "start" and @@ -8786,7 +8786,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python process where event.type in ("start", "process_started") and @@ -8803,7 +8803,7 @@ process where event.type in ("start", "process_started") and Branch count: 6 Document count: 6 -Index: geneve-ut-591 +Index: geneve-ut-0591 ```python file where event.type : "change" and process.name : "dllhost.exe" and @@ -8819,7 +8819,7 @@ file where event.type : "change" and process.name : "dllhost.exe" and Branch count: 4 Document count: 4 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python process where event.type in ("start", "process_started") and @@ -8832,7 +8832,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python process where event.type in ("start", "process_started") and process.name : "Clipup.exe" and @@ -8847,7 +8847,7 @@ process where event.type in ("start", "process_started") and process.name : "Cli Branch count: 1 Document count: 1 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python process where event.type == "start" and @@ -8863,7 +8863,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python process where event.type in ("start", "process_started") and @@ -8878,7 +8878,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python process where event.type in ("start", "process_started") and @@ -8894,7 +8894,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt @@ -8906,7 +8906,7 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt Branch count: 1 Document count: 1 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python process where event.type == "start" and process.parent.name == "ScreenSaverEngine" @@ -8918,7 +8918,7 @@ process where event.type == "start" and process.parent.name == "ScreenSaverEngin Branch count: 2 Document count: 2 -Index: geneve-ut-601 +Index: geneve-ut-0601 ```python process where event.type in ("start", "process_started") and @@ -8932,7 +8932,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-602 +Index: geneve-ut-0602 ```python process where event.type == "start" and process.parent.name : "dns.exe" and @@ -8945,7 +8945,7 @@ process where event.type == "start" and process.parent.name : "dns.exe" and Branch count: 8 Document count: 16 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python sequence with maxspan=1h @@ -8963,7 +8963,7 @@ sequence with maxspan=1h Branch count: 18 Document count: 18 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python file where event.type != "deletion" and @@ -8985,7 +8985,7 @@ file where event.type != "deletion" and Branch count: 29 Document count: 29 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python file where event.type == "creation" and @@ -9031,7 +9031,7 @@ file where event.type == "creation" and Branch count: 3 Document count: 3 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python file where process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and @@ -9044,7 +9044,7 @@ file where process.name : "dns.exe" and event.type in ("creation", "deletion", " Branch count: 800 Document count: 1600 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python sequence by process.entity_id with maxspan=5m @@ -9100,7 +9100,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 2 Document count: 4 -Index: geneve-ut-623 +Index: geneve-ut-0623 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -9119,7 +9119,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -9138,7 +9138,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 48 Document count: 48 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python process where event.type in ("start", "process_started") and @@ -9175,7 +9175,7 @@ process where event.type in ("start", "process_started") and Branch count: 64 Document count: 64 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python process where event.type in ("start", "process_started") and @@ -9216,7 +9216,7 @@ process.parent.name != null and Branch count: 4 Document count: 4 -Index: geneve-ut-628 +Index: geneve-ut-0628 ```python registry where registry.path : ("HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath") and @@ -9241,7 +9241,7 @@ registry where registry.path : ("HKLM\\SYSTEM\\ControlSet*\\Services\\*\\Service Branch count: 32 Document count: 32 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python process where event.type == "start" and @@ -9264,7 +9264,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python process where event.type == "start" and @@ -9277,7 +9277,7 @@ process where event.type == "start" and Branch count: 144 Document count: 288 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python sequence by process.entity_id @@ -9314,7 +9314,7 @@ sequence by process.entity_id Branch count: 8 Document count: 8 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python process where event.type in ("start", "process_started") and @@ -9329,7 +9329,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-648 +Index: geneve-ut-0648 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success) @@ -9341,7 +9341,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a Branch count: 2 Document count: 2 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success) @@ -9353,7 +9353,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s Branch count: 8 Document count: 8 -Index: geneve-ut-650 +Index: geneve-ut-0650 ```python iam where event.action == "added-member-to-group" and @@ -9373,7 +9373,7 @@ iam where event.action == "added-member-to-group" and Branch count: 1 Document count: 1 -Index: geneve-ut-651 +Index: geneve-ut-0651 ```python event.action:"Directory Service Changes" and event.code:5136 and winlog.event_data.ObjectClass:"user" @@ -9386,7 +9386,7 @@ and winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName" Branch count: 6 Document count: 6 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and @@ -9431,7 +9431,7 @@ event.category:(network or network_traffic) and network.transport:tcp and destin Branch count: 6 Document count: 6 -Index: geneve-ut-653 +Index: geneve-ut-0653 ```python event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and @@ -9476,7 +9476,7 @@ event.category:(network or network_traffic) and network.transport:tcp and destin Branch count: 10 Document count: 10 -Index: geneve-ut-654 +Index: geneve-ut-0654 ```python event.category:process and event.type:(start or process_started) and @@ -9494,7 +9494,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 6 Document count: 6 -Index: geneve-ut-655 +Index: geneve-ut-0655 ```python process where event.type == "start" and @@ -9509,7 +9509,7 @@ process where event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-656 +Index: geneve-ut-0656 ```python process where event.type in ("start", "process_started") and @@ -9526,7 +9526,7 @@ process where event.type in ("start", "process_started") and Branch count: 8 Document count: 8 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python process where event.type in ("start", "process_started") @@ -9540,7 +9540,7 @@ process where event.type in ("start", "process_started") Branch count: 120 Document count: 120 -Index: geneve-ut-658 +Index: geneve-ut-0658 ```python process where event.type in ("start", "process_started") and @@ -9556,7 +9556,7 @@ process where event.type in ("start", "process_started") and Branch count: 4 Document count: 4 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python process where event.type in ("start", "process_started") and @@ -9570,7 +9570,7 @@ process where event.type in ("start", "process_started") and Branch count: 4 Document count: 8 -Index: geneve-ut-660 +Index: geneve-ut-0660 ```python sequence by host.id with maxspan = 2s @@ -9598,7 +9598,7 @@ sequence by host.id with maxspan = 2s Branch count: 1 Document count: 1 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python url.path:* @@ -9610,7 +9610,7 @@ url.path:* Branch count: 1 Document count: 1 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python http.response.status_code:403 and http.request.method:post @@ -9622,7 +9622,7 @@ http.response.status_code:403 and http.request.method:post Branch count: 1 Document count: 1 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python http.response.status_code:405 @@ -9634,7 +9634,7 @@ http.response.status_code:405 Branch count: 1 Document count: 1 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" @@ -9646,7 +9646,7 @@ user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" Branch count: 3 Document count: 3 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python event.category : process and event.type : start and @@ -9662,7 +9662,7 @@ event.category : process and event.type : start and Branch count: 5 Document count: 5 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python file where event.type == "deletion" and @@ -9679,7 +9679,7 @@ file where event.type == "deletion" and Branch count: 42 Document count: 42 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python process where event.type == "start" and @@ -9693,7 +9693,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python process where event.type in ("start", "process_started") and process.name : "whoami.exe" @@ -9705,7 +9705,7 @@ process where event.type in ("start", "process_started") and process.name : "who Branch count: 12 Document count: 12 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python registry where event.type in ("creation", "change") and @@ -9727,7 +9727,7 @@ registry where event.type in ("creation", "change") and Branch count: 12 Document count: 12 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python process where event.type == "start" and @@ -9742,7 +9742,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python event.action:("audit-log-cleared" or "Log clear") @@ -9754,7 +9754,7 @@ event.action:("audit-log-cleared" or "Log clear") Branch count: 16 Document count: 16 -Index: geneve-ut-673 +Index: geneve-ut-0673 ```python process where event.action == "start" and @@ -9770,7 +9770,7 @@ process where event.action == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python process where event.type in ("start", "process_started") and @@ -9795,7 +9795,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-675 +Index: geneve-ut-0675 ```python file where event.type == "creation" and @@ -9810,7 +9810,7 @@ file where event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python process where event.type in ("start", "process_started") and @@ -9823,7 +9823,7 @@ process where event.type in ("start", "process_started") and Branch count: 288 Document count: 576 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python sequence by host.id with maxspan = 5s @@ -9862,7 +9862,7 @@ sequence by host.id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-678 +Index: geneve-ut-0678 ```python event.action:"service-installed" and (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0") @@ -9874,7 +9874,7 @@ event.action:"service-installed" and (winlog.event_data.ClientProcessId:"0" or Branch count: 1 Document count: 1 -Index: geneve-ut-679 +Index: geneve-ut-0679 ```python event.type:creation and event.module:zoom and event.dataset:zoom.webhook and diff --git a/tests/reports/alerts_from_rules-8.3.md b/tests/reports/alerts_from_rules-8.3.md index 285f747a..09ec142b 100644 --- a/tests/reports/alerts_from_rules-8.3.md +++ b/tests/reports/alerts_from_rules-8.3.md @@ -18,7 +18,7 @@ Rules version: 8.3.4 Branch count: 2 Document count: 2 -Index: geneve-ut-128 +Index: geneve-ut-0128 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -30,7 +30,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 6 Document count: 6 -Index: geneve-ut-131 +Index: geneve-ut-0131 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -48,7 +48,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-132 +Index: geneve-ut-0132 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -64,7 +64,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 64 Document count: 192 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python sequence by host.id, source.ip with maxspan=10s @@ -81,7 +81,7 @@ sequence by host.id, source.ip with maxspan=10s Branch count: 1024 Document count: 10240 -Index: geneve-ut-436 +Index: geneve-ut-0436 Failure message(s): got 1000 signals, expected 1024 @@ -97,7 +97,7 @@ sequence by host.id, source.ip, user.name with maxspan=10s Branch count: 84 Document count: 84 -Index: geneve-ut-467 +Index: geneve-ut-0467 Failure message(s): got 48 signals, expected 84 @@ -113,7 +113,7 @@ process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "ww Branch count: 4608 Document count: 4608 -Index: geneve-ut-579 +Index: geneve-ut-0579 Failure message(s): got 1000 signals, expected 4608 @@ -166,7 +166,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -188,7 +188,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -209,7 +209,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 1 Document count: 1 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue @@ -221,7 +221,7 @@ event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-003 +Index: geneve-ut-0003 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -233,7 +233,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-0004 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success @@ -245,7 +245,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-0005 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -257,7 +257,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-0006 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -269,7 +269,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-0007 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -281,7 +281,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -293,7 +293,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -305,7 +305,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -320,7 +320,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -332,7 +332,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -345,7 +345,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -357,7 +357,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -371,7 +371,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -383,7 +383,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -395,7 +395,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -407,7 +407,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -419,7 +419,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-019 +Index: geneve-ut-0019 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -432,7 +432,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-020 +Index: geneve-ut-0020 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -445,7 +445,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-021 +Index: geneve-ut-0021 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -459,7 +459,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -472,7 +472,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success @@ -484,7 +484,7 @@ event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -496,7 +496,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-025 +Index: geneve-ut-0025 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -508,7 +508,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-027 +Index: geneve-ut-0027 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -520,7 +520,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -532,7 +532,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -544,7 +544,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -556,7 +556,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -568,7 +568,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -580,7 +580,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -592,7 +592,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -604,7 +604,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -616,7 +616,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -628,7 +628,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-038 +Index: geneve-ut-0038 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -640,7 +640,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-039 +Index: geneve-ut-0039 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -652,7 +652,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-040 +Index: geneve-ut-0040 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -664,7 +664,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and @@ -677,7 +677,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-042 +Index: geneve-ut-0042 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -689,7 +689,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-043 +Index: geneve-ut-0043 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -704,7 +704,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-044 +Index: geneve-ut-0044 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -716,7 +716,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-045 +Index: geneve-ut-0045 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -728,7 +728,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -741,7 +741,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -754,7 +754,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -767,7 +767,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -782,7 +782,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 4 Document count: 4 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or @@ -795,7 +795,7 @@ UpdateSAMLProvider) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -808,7 +808,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 6 Document count: 6 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or @@ -822,7 +822,7 @@ RevokeSecurityGroupIngress) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and @@ -835,7 +835,7 @@ aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event. Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -847,7 +847,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-055 +Index: geneve-ut-0055 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -859,7 +859,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -871,7 +871,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 6 Document count: 6 -Index: geneve-ut-058 +Index: geneve-ut-0058 ```python event.category:(network or network_traffic) and destination.port:53 and @@ -884,7 +884,7 @@ event.category:(network or network_traffic) and destination.port:53 and Branch count: 8 Document count: 8 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python event.category:(network or network_traffic) and destination.port:23 @@ -900,7 +900,7 @@ event.category:(network or network_traffic) and destination.port:23 Branch count: 26 Document count: 26 -Index: geneve-ut-060 +Index: geneve-ut-0060 ```python process where event.type in ("start", "process_started") and @@ -928,7 +928,7 @@ process where event.type in ("start", "process_started") and Branch count: 12 Document count: 12 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python process where event.type in ("start", "process_started") and @@ -966,7 +966,7 @@ process where event.type in ("start", "process_started") and Branch count: 4 Document count: 4 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python any where event.action == "Directory Service Access" and event.code == "4662" and @@ -1001,7 +1001,7 @@ any where event.action == "Directory Service Access" and event.code == "4662" an Branch count: 4 Document count: 4 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python process where event.type == "start" and @@ -1017,7 +1017,7 @@ process where event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-065 +Index: geneve-ut-0065 ```python sequence by winlog.computer_name with maxspan=5m @@ -1044,7 +1044,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 36 Document count: 36 -Index: geneve-ut-066 +Index: geneve-ut-0066 ```python process where event.type == "start" and @@ -1064,7 +1064,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python process where event.type == "start" and @@ -1077,7 +1077,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-068 +Index: geneve-ut-0068 ```python event.action:"Directory Service Changes" and event.code:5136 and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System* @@ -1089,7 +1089,7 @@ event.action:"Directory Service Changes" and event.code:5136 and winlog.event_da Branch count: 1 Document count: 1 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1101,7 +1101,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1113,7 +1113,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python file where event.type == "creation" and @@ -1128,7 +1128,7 @@ file where event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-073 +Index: geneve-ut-0073 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1140,7 +1140,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 1 Document count: 1 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.agent_id_status:agent_id_mismatch @@ -1152,7 +1152,7 @@ event.agent_id_status:agent_id_mismatch Branch count: 1 Document count: 2 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1171,7 +1171,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python process where event.type in ("start", "process_started") and process.name : "osascript" and @@ -1184,7 +1184,7 @@ process where event.type in ("start", "process_started") and process.name : "osa Branch count: 1 Document count: 1 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1196,7 +1196,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-083 +Index: geneve-ut-0083 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1211,7 +1211,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 1 Document count: 1 -Index: geneve-ut-084 +Index: geneve-ut-0084 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1223,7 +1223,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-085 +Index: geneve-ut-0085 ```python event.dataset:okta.system and event.action:user.mfa.factor.deactivate @@ -1235,7 +1235,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-086 +Index: geneve-ut-0086 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1247,7 +1247,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-087 +Index: geneve-ut-0087 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1259,7 +1259,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-088 +Index: geneve-ut-0088 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1271,7 +1271,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-089 +Index: geneve-ut-0089 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1283,7 +1283,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-090 +Index: geneve-ut-0090 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1295,7 +1295,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-091 +Index: geneve-ut-0091 ```python event.dataset:okta.system and event.action:zone.delete @@ -1307,7 +1307,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-092 +Index: geneve-ut-0092 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -1319,7 +1319,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-093 +Index: geneve-ut-0093 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -1331,7 +1331,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 2 Document count: 2 -Index: geneve-ut-094 +Index: geneve-ut-0094 ```python event.category:process and event.type:(start or process_started) and @@ -1344,7 +1344,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 30 Document count: 30 -Index: geneve-ut-095 +Index: geneve-ut-0095 ```python event.category:process and event.type:(start or process_started) and @@ -1360,7 +1360,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.category:process and event.type:(start or process_started) and @@ -1373,7 +1373,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-097 +Index: geneve-ut-0097 ```python event.category:process and event.type:(start or process_started) and @@ -1388,7 +1388,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 1 Document count: 1 -Index: geneve-ut-098 +Index: geneve-ut-0098 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -1400,7 +1400,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-099 +Index: geneve-ut-0099 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -1412,7 +1412,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-100 +Index: geneve-ut-0100 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -1424,7 +1424,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-101 +Index: geneve-ut-0101 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -1436,7 +1436,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-102 +Index: geneve-ut-0102 ```python process where event.type in ("start", "process_started") and @@ -1455,7 +1455,7 @@ process where event.type in ("start", "process_started") and Branch count: 12 Document count: 12 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python process where event.type in ("start", "process_started") and @@ -1473,7 +1473,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -1485,7 +1485,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -1497,7 +1497,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-106 +Index: geneve-ut-0106 ```python event.category:process and event.type:(start or process_started) and @@ -1510,7 +1510,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 1 Document count: 1 -Index: geneve-ut-107 +Index: geneve-ut-0107 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -1522,7 +1522,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 1 Document count: 1 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python event.category:file and not event.type:deletion and @@ -1537,7 +1537,7 @@ event.category:file and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -1551,7 +1551,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python event.dataset:azure.signinlogs and @@ -1565,7 +1565,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-113 +Index: geneve-ut-0113 ```python event.dataset:azure.signinlogs and @@ -1578,7 +1578,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python event.dataset:azure.signinlogs and @@ -1592,7 +1592,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -1605,7 +1605,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -1617,7 +1617,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-117 +Index: geneve-ut-0117 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -1629,7 +1629,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python event.dataset:azure.activitylogs and @@ -1648,7 +1648,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python event.dataset:azure.activitylogs and @@ -1662,7 +1662,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python event.dataset:azure.activitylogs and @@ -1680,7 +1680,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -1692,7 +1692,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-122 +Index: geneve-ut-0122 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -1707,7 +1707,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -1719,7 +1719,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -1732,7 +1732,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -1744,7 +1744,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -1756,7 +1756,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -1768,7 +1768,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-129 +Index: geneve-ut-0129 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -1780,7 +1780,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-130 +Index: geneve-ut-0130 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -1792,7 +1792,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-133 +Index: geneve-ut-0133 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -1804,7 +1804,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -1817,7 +1817,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -1830,7 +1830,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -1845,7 +1845,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -1857,7 +1857,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-138 +Index: geneve-ut-0138 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -1869,7 +1869,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -1881,7 +1881,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -1893,7 +1893,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -1905,7 +1905,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -1917,7 +1917,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -1935,7 +1935,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python process where event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" @@ -1947,7 +1947,7 @@ process where event.type != "end" and process.executable : "/usr/sbin/tc" and pr Branch count: 8 Document count: 8 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.category:process and event.type:(start or process_started) and @@ -1960,7 +1960,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 9 Document count: 9 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.category:file and event.type:change and @@ -1995,7 +1995,7 @@ event.category:file and event.type:change and Branch count: 4 Document count: 4 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python process where event.type == "start" and @@ -2015,7 +2015,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python process where event.type == "start" and @@ -2033,7 +2033,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python process where event.type == "start" and @@ -2047,7 +2047,7 @@ process where event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python process where event.type == "start" and @@ -2063,7 +2063,7 @@ process where event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where event.type == "start" and @@ -2083,7 +2083,7 @@ process where event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -2103,7 +2103,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python sequence by process.entity_id @@ -2123,7 +2123,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python process where event.type == "start" and @@ -2140,7 +2140,7 @@ process where event.type == "start" and Branch count: 28 Document count: 28 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python registry where @@ -2177,7 +2177,7 @@ registry where Branch count: 24 Document count: 24 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python network where network.protocol == "dns" and @@ -2202,7 +2202,7 @@ network where network.protocol == "dns" and Branch count: 29 Document count: 29 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python network where network.protocol == "dns" and @@ -2265,7 +2265,7 @@ network where network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python sequence by process.entity_id @@ -2285,7 +2285,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python sequence by process.entity_id @@ -2305,7 +2305,7 @@ sequence by process.entity_id Branch count: 24 Document count: 24 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python process where event.type == "start" and @@ -2331,7 +2331,7 @@ process where event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python file where event.type != "deletion" and @@ -2351,7 +2351,7 @@ file where event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-165 +Index: geneve-ut-0165 ```python process where event.type in ("start", "process_started") and process.name : "osascript" and @@ -2364,7 +2364,7 @@ process where event.type in ("start", "process_started") and process.name : "osa Branch count: 1 Document count: 1 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python file where event.action : "creation" and file.extension == "so" and file.name : ".*.so" @@ -2376,7 +2376,7 @@ file where event.action : "creation" and file.extension == "so" and file.name : Branch count: 1 Document count: 1 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python registry where registry.path : "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" @@ -2388,7 +2388,7 @@ registry where registry.path : "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\ Branch count: 2 Document count: 2 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python file where event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -2400,7 +2400,7 @@ file where event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_ca Branch count: 16 Document count: 16 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python registry where event.type in ("creation", "change") and @@ -2433,7 +2433,7 @@ registry where event.type in ("creation", "change") and Branch count: 2 Document count: 2 -Index: geneve-ut-170 +Index: geneve-ut-0170 ```python file where event.type != "deletion" and @@ -2448,7 +2448,7 @@ file where event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-171 +Index: geneve-ut-0171 ```python process where event.type == "start" and @@ -2463,7 +2463,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-172 +Index: geneve-ut-0172 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2475,7 +2475,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2487,7 +2487,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2499,7 +2499,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2511,7 +2511,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -2523,7 +2523,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.dataset:cyberarkpas.audit and @@ -2538,7 +2538,7 @@ event.dataset:cyberarkpas.audit and Branch count: 4 Document count: 4 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python registry where event.type in ("creation", "change") and @@ -2556,7 +2556,7 @@ registry where event.type in ("creation", "change") and Branch count: 6 Document count: 6 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or @@ -2570,7 +2570,7 @@ event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A4 Branch count: 2 Document count: 2 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python process where event.type == "start" and @@ -2584,7 +2584,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python process where event.type == "start" and @@ -2598,7 +2598,7 @@ process where event.type == "start" and Branch count: 4 Document count: 8 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python sequence by process.entity_id @@ -2625,7 +2625,7 @@ sequence by process.entity_id Branch count: 12 Document count: 12 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python process where event.type == "start" and @@ -2646,7 +2646,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python process where event.type == "start" and @@ -2663,7 +2663,7 @@ process where event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python registry where event.type == "change" and @@ -2682,7 +2682,7 @@ registry where event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python process where event.type == "start" and @@ -2696,7 +2696,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -2708,7 +2708,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-189 +Index: geneve-ut-0189 ```python event.category:process and event.type:start and @@ -2721,7 +2721,7 @@ event.category:process and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-190 +Index: geneve-ut-0190 ```python process where event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -2733,7 +2733,7 @@ process where event.type in ("start", "process_started") and process.args : "dum Branch count: 4 Document count: 8 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python sequence by process.entity_id with maxspan=1m @@ -2747,7 +2747,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -2759,7 +2759,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 199 Document count: 199 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python process where @@ -2787,7 +2787,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python file where event.type != "deletion" and @@ -2800,7 +2800,7 @@ file where event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python process where event.type == "start" and @@ -2814,7 +2814,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python registry where @@ -2828,7 +2828,7 @@ registry where Branch count: 34 Document count: 34 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python process where event.type == "start" and @@ -2850,7 +2850,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -2862,7 +2862,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 7 Document count: 7 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python process where event.type == "start" and @@ -2878,7 +2878,7 @@ process where event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python process where event.type == "start" and @@ -2916,7 +2916,7 @@ process where event.type == "start" and Branch count: 64 Document count: 64 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python process where event.type == "start" and @@ -2939,7 +2939,7 @@ process where event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python event.category:process and event.type:(start or process_started) and @@ -2952,7 +2952,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 4 Document count: 4 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python iam where event.action == "user-member-enumerated" and @@ -3009,7 +3009,7 @@ iam where event.action == "user-member-enumerated" and Branch count: 46 Document count: 46 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python process where event.type in ("start", "process_started") and @@ -3039,7 +3039,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python event.category:process and powershell.file.script_block_text : "New-MailboxExportRequest" @@ -3051,7 +3051,7 @@ event.category:process and powershell.file.script_block_text : "New-MailboxExpor Branch count: 2 Document count: 2 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python process where event.type == "start" and @@ -3070,7 +3070,7 @@ process where event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python sequence with maxspan=2h @@ -3093,7 +3093,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python sequence with maxspan=2h @@ -3118,7 +3118,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -3147,7 +3147,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python event.category:process and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -3159,7 +3159,7 @@ event.category:process and event.type:(start or process_started) and process.arg Branch count: 1 Document count: 1 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python process where event.type == "start" and @@ -3174,7 +3174,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python process where event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -3186,7 +3186,7 @@ process where event.type == "start" and process.executable : "\\Device\\Mup\\tsc Branch count: 1 Document count: 1 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python file where file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -3198,7 +3198,7 @@ file where file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" Branch count: 24 Document count: 24 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python event.category:process and event.type:(start or process_started) and @@ -3212,7 +3212,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-217 +Index: geneve-ut-0217 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3224,7 +3224,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3236,7 +3236,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python process where event.type == "start" and @@ -3250,7 +3250,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python event.kind:alert and not event.module:(endgame or endpoint) @@ -3262,7 +3262,7 @@ event.kind:alert and not event.module:(endgame or endpoint) Branch count: 19 Document count: 19 -Index: geneve-ut-221 +Index: geneve-ut-0221 ```python network where network.protocol == "dns" and @@ -3313,7 +3313,7 @@ network where network.protocol == "dns" and Branch count: 8 Document count: 8 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python event.category:process and event.type:(start or process_started) and process.name:shred and @@ -3326,7 +3326,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 24 Document count: 24 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python event.category:process and event.type:(start or process_started) and @@ -3341,7 +3341,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 375 Document count: 750 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python sequence by process.entity_id @@ -3367,7 +3367,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python process where event.type == "start" and user.name == "root" and process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and not process.parent.executable: "/lib/systemd/systemd" @@ -3379,7 +3379,7 @@ process where event.type == "start" and user.name == "root" and process.executab Branch count: 2 Document count: 2 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -3405,7 +3405,7 @@ process where event.type in ("start", "process_started") and process.name : "plu Branch count: 4 Document count: 4 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" and @@ -3419,7 +3419,7 @@ registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Erro Branch count: 2 Document count: 2 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -3431,7 +3431,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-229 +Index: geneve-ut-0229 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -3443,7 +3443,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -3455,7 +3455,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-231 +Index: geneve-ut-0231 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -3467,7 +3467,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -3479,7 +3479,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -3491,7 +3491,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -3503,7 +3503,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -3515,7 +3515,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -3527,7 +3527,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-237 +Index: geneve-ut-0237 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -3539,7 +3539,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -3551,7 +3551,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -3563,7 +3563,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -3575,7 +3575,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -3587,7 +3587,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -3599,7 +3599,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -3611,7 +3611,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -3623,7 +3623,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -3635,7 +3635,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-246 +Index: geneve-ut-0246 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -3647,7 +3647,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -3659,7 +3659,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -3671,7 +3671,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -3683,7 +3683,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -3695,7 +3695,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -3708,7 +3708,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.dataset:"google_workspace.admin" and event.action:"2sv_disable" @@ -3720,7 +3720,7 @@ event.dataset:"google_workspace.admin" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS @@ -3732,7 +3732,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -3745,7 +3745,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -3757,7 +3757,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -3770,7 +3770,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -3782,7 +3782,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -3795,7 +3795,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 1 Document count: 1 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -3809,7 +3809,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 12 Document count: 12 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -3830,7 +3830,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-261 +Index: geneve-ut-0261 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -3844,7 +3844,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -3856,7 +3856,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-263 +Index: geneve-ut-0263 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_GROUP_SETTING" and event.category:"iam" @@ -3871,7 +3871,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_GROUP_SETTING" a Branch count: 1 Document count: 1 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -3884,7 +3884,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 12 Document count: 12 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python any where @@ -3911,7 +3911,7 @@ any where Branch count: 6 Document count: 6 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3) @@ -3923,7 +3923,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 2 Document count: 2 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python process where event.type == "start" and @@ -3938,7 +3938,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python event.category:(network or network_traffic) and network.transport:udp and destination.port:4500 @@ -3950,7 +3950,7 @@ event.category:(network or network_traffic) and network.transport:udp and destin Branch count: 8 Document count: 8 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python process where event.type == "start" and @@ -3967,7 +3967,7 @@ process where event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-277 +Index: geneve-ut-0277 ```python sequence with maxspan=1m @@ -3986,7 +3986,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python sequence by host.id with maxspan=1m @@ -4004,7 +4004,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-279 +Index: geneve-ut-0279 ```python sequence by host.id with maxspan=5s @@ -4023,7 +4023,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-280 +Index: geneve-ut-0280 ```python sequence by host.id with maxspan = 30s @@ -4039,7 +4039,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python sequence by host.id with maxspan=30s @@ -4055,7 +4055,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 4 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -4071,7 +4071,7 @@ sequence by process.entity_id Branch count: 4 Document count: 8 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python sequence by process.entity_id with maxspan = 5m @@ -4087,7 +4087,7 @@ sequence by process.entity_id with maxspan = 5m Branch count: 2 Document count: 2 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python registry where @@ -4102,7 +4102,7 @@ registry where Branch count: 6 Document count: 6 -Index: geneve-ut-285 +Index: geneve-ut-0285 ```python event.category:process and event.type:(start or process_started) and process.name:perl and @@ -4115,7 +4115,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 6 Document count: 6 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python event.category:process and event.type:(start or process_started) and @@ -4131,7 +4131,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 1 Document count: 1 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python event.action:modified-user-account and event.code:4738 and winlog.event_data.AllowedToDelegateTo:*krbtgt* @@ -4143,7 +4143,7 @@ event.action:modified-user-account and event.code:4738 and winlog.event_data.All Branch count: 2 Document count: 2 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python event.category:process and event.type:(start or process_started) and @@ -4157,7 +4157,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python network where event.type == "start" and network.direction : ("outgoing", "egress") and @@ -4205,7 +4205,7 @@ network where event.type == "start" and network.direction : ("outgoing", "egress Branch count: 6 Document count: 6 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python event.category:process and event.type:(start or process_started) and @@ -4218,7 +4218,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 1 Document count: 1 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python process where event.type == "start" and process.executable : "/usr/sbin/insmod" and process.args : "*.ko" @@ -4230,7 +4230,7 @@ process where event.type == "start" and process.executable : "/usr/sbin/insmod" Branch count: 16 Document count: 16 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python process where event.type == "start" and @@ -4245,7 +4245,7 @@ process where event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python kubernetes.audit.objectRef.resource:"services" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.type:"NodePort" @@ -4257,7 +4257,7 @@ kubernetes.audit.objectRef.resource:"services" and kubernetes.audit.verb:("creat Branch count: 3 Document count: 3 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostIPC:true @@ -4269,7 +4269,7 @@ kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" o Branch count: 3 Document count: 3 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostNetwork:true @@ -4281,7 +4281,7 @@ kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" o Branch count: 3 Document count: 3 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostPID:true @@ -4293,7 +4293,7 @@ kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" o Branch count: 42 Document count: 42 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python kubernetes.audit.objectRef.resource:"pods" @@ -4307,7 +4307,7 @@ kubernetes.audit.objectRef.resource:"pods" Branch count: 1 Document count: 1 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:create and @@ -4320,7 +4320,7 @@ kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:create and Branch count: 6 Document count: 6 -Index: geneve-ut-300 +Index: geneve-ut-0300 ```python kubernetes.audit.verb:"create" @@ -4334,7 +4334,7 @@ and kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:* Branch count: 1 Document count: 1 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python kubernetes.audit.objectRef.resource:"pods" @@ -4347,7 +4347,7 @@ kubernetes.audit.objectRef.resource:"pods" Branch count: 20 Document count: 20 -Index: geneve-ut-302 +Index: geneve-ut-0302 ```python file where file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdmp", "Coredump.dmp") and @@ -4366,7 +4366,7 @@ file where file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdm Branch count: 18 Document count: 18 -Index: geneve-ut-303 +Index: geneve-ut-0303 ```python any where event.action == "File System" and event.code == "4656" and @@ -4400,7 +4400,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 8 Document count: 8 -Index: geneve-ut-304 +Index: geneve-ut-0304 ```python file where event.type in ("creation", "change") and @@ -4418,7 +4418,7 @@ file where event.type in ("creation", "change") and Branch count: 6 Document count: 12 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python sequence by host.id with maxspan=1m @@ -4434,7 +4434,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python sequence by host.id with maxspan=1m @@ -4448,7 +4448,7 @@ sequence by host.id with maxspan=1m Branch count: 79 Document count: 79 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python process where event.type == "start" and @@ -4494,7 +4494,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-308 +Index: geneve-ut-0308 ```python registry where registry.path : ( @@ -4509,7 +4509,7 @@ registry where registry.path : ( Branch count: 600 Document count: 1200 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python sequence with maxspan=1m @@ -4534,7 +4534,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -4546,7 +4546,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 96 Document count: 96 -Index: geneve-ut-311 +Index: geneve-ut-0311 ```python registry where event.type == "change" and @@ -4570,7 +4570,7 @@ registry where event.type == "change" and Branch count: 48 Document count: 96 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python sequence by host.id, user.id with maxspan=30s @@ -4584,7 +4584,7 @@ sequence by host.id, user.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -4596,7 +4596,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -4608,7 +4608,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -4620,7 +4620,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-317 +Index: geneve-ut-0317 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -4632,7 +4632,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -4644,7 +4644,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-319 +Index: geneve-ut-0319 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -4656,7 +4656,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -4668,7 +4668,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -4680,7 +4680,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -4692,7 +4692,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -4704,7 +4704,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -4716,7 +4716,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -4728,7 +4728,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -4740,7 +4740,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -4753,7 +4753,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -4772,7 +4772,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -4784,7 +4784,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -4799,7 +4799,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -4813,7 +4813,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-332 +Index: geneve-ut-0332 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -4827,7 +4827,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-333 +Index: geneve-ut-0333 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -4839,7 +4839,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-334 +Index: geneve-ut-0334 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -4851,7 +4851,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 3 Document count: 3 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python process where event.type == "start" and @@ -4865,7 +4865,7 @@ process where event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python process where event.type == "start" and @@ -4879,7 +4879,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python process where event.type == "start" and @@ -4893,7 +4893,7 @@ process where event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python process where event.type == "start" and @@ -4914,7 +4914,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python process where event.type == "start" and @@ -4928,7 +4928,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-340 +Index: geneve-ut-0340 ```python process where event.type == "start" and @@ -4947,7 +4947,7 @@ process where event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python file where event.type == "creation" and @@ -4972,7 +4972,7 @@ file where event.type == "creation" and Branch count: 8 Document count: 8 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python process where event.type == "start" and @@ -4987,7 +4987,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python process where event.type == "start" and @@ -5001,7 +5001,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python process where event.type == "start" and @@ -5015,7 +5015,7 @@ process where event.type == "start" and Branch count: 30 Document count: 30 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python registry where event.type in ("creation", "change") and @@ -5055,7 +5055,7 @@ registry where event.type in ("creation", "change") and Branch count: 1 Document count: 1 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python file where file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -5067,7 +5067,7 @@ file where file.name : "mimilsa.log" and process.name : "lsass.exe" Branch count: 12 Document count: 12 -Index: geneve-ut-347 +Index: geneve-ut-0347 ```python registry where event.type in ("creation", "change") and @@ -5085,7 +5085,7 @@ registry where event.type in ("creation", "change") and Branch count: 4 Document count: 4 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python process where event.type == "start" and @@ -5102,7 +5102,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-349 +Index: geneve-ut-0349 ```python event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload @@ -5114,7 +5114,7 @@ event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload Branch count: 1 Document count: 1 -Index: geneve-ut-350 +Index: geneve-ut-0350 ```python event.category:process and event.type:start and @@ -5140,7 +5140,7 @@ event.category:process and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-351 +Index: geneve-ut-0351 ```python event.category:file and event.type:change and @@ -5155,7 +5155,7 @@ event.category:file and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-352 +Index: geneve-ut-0352 ```python event.category:process and event.type:start and @@ -5177,7 +5177,7 @@ event.category:process and event.type:start and Branch count: 3 Document count: 3 -Index: geneve-ut-353 +Index: geneve-ut-0353 ```python event.category:file and event.type:change and @@ -5217,7 +5217,7 @@ event.category:file and event.type:change and Branch count: 16 Document count: 16 -Index: geneve-ut-354 +Index: geneve-ut-0354 ```python registry where event.type : ("creation", "change") and @@ -5234,7 +5234,7 @@ registry where event.type : ("creation", "change") and Branch count: 1 Document count: 1 -Index: geneve-ut-355 +Index: geneve-ut-0355 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -5248,7 +5248,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 2 Document count: 2 -Index: geneve-ut-356 +Index: geneve-ut-0356 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -5260,7 +5260,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 12 Document count: 12 -Index: geneve-ut-357 +Index: geneve-ut-0357 ```python process where event.type == "start" and @@ -5279,7 +5279,7 @@ process where event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-358 +Index: geneve-ut-0358 ```python sequence by process.entity_id @@ -5294,7 +5294,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-359 +Index: geneve-ut-0359 ```python sequence by process.entity_id with maxspan=10m @@ -5312,7 +5312,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-360 +Index: geneve-ut-0360 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -5324,7 +5324,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-363 +Index: geneve-ut-0363 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -5349,7 +5349,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-364 +Index: geneve-ut-0364 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -5375,7 +5375,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 4 Document count: 8 -Index: geneve-ut-365 +Index: geneve-ut-0365 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -5397,7 +5397,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 84 Document count: 84 -Index: geneve-ut-366 +Index: geneve-ut-0366 ```python process where event.type == "start" and @@ -5416,7 +5416,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-367 +Index: geneve-ut-0367 ```python process where event.type == "start" and event.action == "exec" and @@ -5431,7 +5431,7 @@ not process.args : "/usr/bin/snap" Branch count: 1 Document count: 2 -Index: geneve-ut-368 +Index: geneve-ut-0368 ```python sequence by process.entity_id @@ -5451,7 +5451,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python sequence by process.entity_id @@ -5470,7 +5470,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python sequence by process.entity_id @@ -5489,7 +5489,7 @@ sequence by process.entity_id Branch count: 18 Document count: 36 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python sequence by process.entity_id @@ -5514,7 +5514,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python sequence by process.entity_id @@ -5536,7 +5536,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python registry where registry.data.strings != null and @@ -5559,7 +5559,7 @@ registry where registry.data.strings != null and Branch count: 3 Document count: 3 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python process where event.type == "start" and @@ -5572,7 +5572,7 @@ process where event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -5586,7 +5586,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python event.category:process and event.type:(start or process_started) and process.name:nping @@ -5598,7 +5598,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 1 Document count: 1 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -5610,7 +5610,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -5624,7 +5624,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -5636,7 +5636,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -5648,7 +5648,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -5660,7 +5660,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 36 Document count: 72 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -5675,7 +5675,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python process where event.type == "start" and @@ -5689,7 +5689,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -5701,7 +5701,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -5713,7 +5713,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python process where event.type == "start" and @@ -5731,7 +5731,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.category:file and not event.type:deletion and @@ -5744,7 +5744,7 @@ event.category:file and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python event.category : file and event.action : modification and @@ -5758,7 +5758,7 @@ event.category : file and event.action : modification and Branch count: 66 Document count: 132 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python sequence by host.id with maxspan=5s @@ -5774,7 +5774,7 @@ sequence by host.id with maxspan=5s Branch count: 7 Document count: 7 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python /* Registry Path ends with backslash */ @@ -5794,7 +5794,7 @@ registry where /* length(registry.data.strings) > 0 and */ Branch count: 32 Document count: 32 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python file where event.type != "deletion" and @@ -5819,7 +5819,7 @@ file where event.type != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python file where event.type != "deletion" and @@ -5838,7 +5838,7 @@ file where event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python file where event.type != "deletion" and @@ -5851,7 +5851,7 @@ file where event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python file where event.type != "deletion" and @@ -5867,7 +5867,7 @@ file where event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python file where event.type != "deletion" and @@ -5880,7 +5880,7 @@ file where event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python process where event.type == "start" and @@ -5899,7 +5899,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python process where event.type == "start" and @@ -5927,7 +5927,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-404 +Index: geneve-ut-0404 ```python process where event.type == "start" and @@ -5942,7 +5942,7 @@ process where event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python registry where @@ -5981,7 +5981,7 @@ registry where Branch count: 7 Document count: 7 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python file where event.type != "deletion" and user.domain != "NT AUTHORITY" and @@ -6004,7 +6004,7 @@ file where event.type != "deletion" and user.domain != "NT AUTHORITY" and Branch count: 2 Document count: 2 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python registry where registry.path : ( @@ -6019,7 +6019,7 @@ registry where registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -6037,7 +6037,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -6049,7 +6049,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 1 Document count: 3 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python sequence by user.email with maxspan=10m @@ -6064,7 +6064,7 @@ sequence by user.email with maxspan=10m Branch count: 16 Document count: 16 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python event.category:process and event.type:(start or process_started) and @@ -6077,7 +6077,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python process where event.type == "start" and process.name : "sdbinst.exe" and @@ -6091,7 +6091,7 @@ process where event.type == "start" and process.name : "sdbinst.exe" and Branch count: 2 Document count: 6 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python sequence by host.id, user.name with maxspan = 5s @@ -6120,7 +6120,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 63 Document count: 63 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python process where event.type in ("start", "process_started", "info") and @@ -6144,7 +6144,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 6 Document count: 6 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python any where event.action == "Directory Service Access" and @@ -6174,7 +6174,7 @@ any where event.action == "Directory Service Access" and Branch count: 1 Document count: 1 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python process where event.code == "10" and @@ -6192,7 +6192,7 @@ process where event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python process where event.code == "10" and @@ -6211,7 +6211,7 @@ process where event.code == "10" and Branch count: 2 Document count: 4 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python sequence by process.entity_id with maxspan=1m @@ -6229,7 +6229,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python sequence by process.entity_id @@ -6244,7 +6244,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-422 +Index: geneve-ut-0422 ```python process where event.type == "start" and @@ -6263,7 +6263,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python process where event.type == "start" and @@ -6284,7 +6284,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-424 +Index: geneve-ut-0424 ```python event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined) @@ -6296,7 +6296,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 2 Document count: 2 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0 @@ -6308,7 +6308,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 1 Document count: 1 -Index: geneve-ut-427 +Index: geneve-ut-0427 ```python process where event.type == "start" and @@ -6321,7 +6321,7 @@ process where event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-428 +Index: geneve-ut-0428 ```python event.category:process and event.type:(start or process_started) and @@ -6334,7 +6334,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 60 Document count: 120 -Index: geneve-ut-430 +Index: geneve-ut-0430 ```python sequence by host.id with maxspan=1m @@ -6370,7 +6370,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-431 +Index: geneve-ut-0431 ```python event.category:process and event.type:start and @@ -6383,7 +6383,7 @@ event.category:process and event.type:start and Branch count: 1 Document count: 1 -Index: geneve-ut-432 +Index: geneve-ut-0432 ```python registry where event.type == "change" and @@ -6398,7 +6398,7 @@ registry where event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-433 +Index: geneve-ut-0433 ```python process where event.code:"4688" and @@ -6412,7 +6412,7 @@ process where event.code:"4688" and Branch count: 16 Document count: 32 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python sequence by host.id with maxspan=30s @@ -6430,7 +6430,7 @@ sequence by host.id with maxspan=30s Branch count: 6 Document count: 6 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python process where event.type == "start" and @@ -6449,7 +6449,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python event.category:file and not event.type:deletion and file.name:~$*.zip and host.os.type:macos @@ -6461,7 +6461,7 @@ event.category:file and not event.type:deletion and file.name:~$*.zip and host.o Branch count: 16 Document count: 16 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python process where event.type == "start" and @@ -6501,7 +6501,7 @@ process where event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-440 +Index: geneve-ut-0440 ```python sequence by process.entity_id with maxspan=1m @@ -6520,7 +6520,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-441 +Index: geneve-ut-0441 ```python file where event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -6560,7 +6560,7 @@ file where event.type == "change" and process.executable : ("/usr/sbin/sshd", "/ Branch count: 1 Document count: 1 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python event.category:"file" and not event.type:"deletion" and @@ -6573,7 +6573,7 @@ event.category:"file" and not event.type:"deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-444 +Index: geneve-ut-0444 ```python event.category:"file" and not event.type:"deletion" and @@ -6588,7 +6588,7 @@ event.category:"file" and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python event.category:"file" and not event.type:"deletion" and @@ -6601,7 +6601,7 @@ event.category:"file" and not event.type:"deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python registry where event.type:"change" and @@ -6615,7 +6615,7 @@ registry where event.type:"change" and Branch count: 4 Document count: 4 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python registry where event.type in ("creation", "change") and @@ -6632,7 +6632,7 @@ registry where event.type in ("creation", "change") and Branch count: 4 Document count: 4 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python process where event.type in ("start", "process_started") and @@ -6648,7 +6648,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python process where event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -6662,7 +6662,7 @@ process where event.type in ("start", "process_started") and process.name : "sql Branch count: 8 Document count: 8 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python /* This rule is compatible with both Sysmon and Elastic Endpoint */ @@ -6685,7 +6685,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-451 +Index: geneve-ut-0451 ```python file where file.path : "/*GCONV_PATH*" @@ -6697,7 +6697,7 @@ file where file.path : "/*GCONV_PATH*" Branch count: 1 Document count: 1 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -6709,7 +6709,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python iam where event.action == "renamed-user-account" and @@ -6723,7 +6723,7 @@ iam where event.action == "renamed-user-account" and Branch count: 1 Document count: 2 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python sequence with maxspan=5s @@ -6743,7 +6743,7 @@ sequence with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python process where event.type == "start" and @@ -6756,7 +6756,7 @@ process where event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python sequence by winlog.computer_name, user.id with maxspan=1m @@ -6780,7 +6780,7 @@ sequence by winlog.computer_name, user.id with maxspan=1m Branch count: 4 Document count: 4 -Index: geneve-ut-458 +Index: geneve-ut-0458 ```python /* Identifies the modification of RDP Shadow registry or @@ -6802,7 +6802,7 @@ any where Branch count: 5 Document count: 5 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python process where event.type == "start" and @@ -6817,7 +6817,7 @@ process where event.type == "start" and Branch count: 80 Document count: 80 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python process where event.type in ("start", "process_started") and @@ -6836,7 +6836,7 @@ process where event.type in ("start", "process_started") and Branch count: 8 Document count: 24 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python sequence by host.id, source.ip, user.name with maxspan=3s @@ -6853,7 +6853,7 @@ sequence by host.id, source.ip, user.name with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-463 +Index: geneve-ut-0463 ```python file where event.type == "change" and file.name : "*AAA.AAA" @@ -6865,7 +6865,7 @@ file where event.type == "change" and file.name : "*AAA.AAA" Branch count: 1 Document count: 1 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -6878,7 +6878,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 2 Document count: 2 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python process where event.type == "start" and event.action == "exec" and user.name == "root" @@ -6913,7 +6913,7 @@ process where event.type == "start" and event.action == "exec" and user.name == Branch count: 32 Document count: 96 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -6941,7 +6941,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 16 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -6957,7 +6957,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python event.category:process and @@ -6972,7 +6972,7 @@ event.category:process and Branch count: 3 Document count: 3 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -6984,7 +6984,7 @@ event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump Branch count: 9 Document count: 9 -Index: geneve-ut-473 +Index: geneve-ut-0473 ```python event.category:process and @@ -7007,7 +7007,7 @@ event.category:process and Branch count: 4 Document count: 4 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python registry where event.type == "change" and @@ -7023,7 +7023,7 @@ registry where event.type == "change" and Branch count: 11 Document count: 11 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python event.category:process and @@ -7048,7 +7048,7 @@ event.category:process and Branch count: 2 Document count: 2 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python process where event.type == "start" and @@ -7062,7 +7062,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python file where event.action : "Pipe Created*" and @@ -7076,7 +7076,7 @@ file where event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python event.category:file and not event.type:deletion and @@ -7089,7 +7089,7 @@ event.category:file and not event.type:deletion and Branch count: 2 Document count: 2 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python registry where registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USERS\\*\\Environment\\systemroot") and @@ -7102,7 +7102,7 @@ registry where registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USER Branch count: 1 Document count: 5 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -7120,7 +7120,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python process where event.type == "start" and @@ -7134,7 +7134,7 @@ process where event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python sequence by winlog.computer_name with maxspan=1m @@ -7155,7 +7155,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 66 Document count: 66 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python process where event.type == "start" and @@ -7193,7 +7193,7 @@ process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Wind Branch count: 2 Document count: 2 -Index: geneve-ut-490 +Index: geneve-ut-0490 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -7205,7 +7205,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -7217,7 +7217,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python process.name:MSBuild.exe and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" @@ -7229,7 +7229,7 @@ process.name:MSBuild.exe and event.action:"CreateRemoteThread detected (rule: Cr Branch count: 3 Document count: 6 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python sequence by host.id with maxspan=5s @@ -7253,7 +7253,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python process where event.type == "start" and @@ -7267,7 +7267,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python process where event.type in ("start", "process_started") and process.name : "osascript" and @@ -7280,7 +7280,7 @@ process where event.type in ("start", "process_started") and process.name : "osa Branch count: 1 Document count: 2 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python sequence by process.entity_id @@ -7304,7 +7304,7 @@ sequence by process.entity_id Branch count: 12 Document count: 12 -Index: geneve-ut-498 +Index: geneve-ut-0498 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and @@ -7349,7 +7349,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 8 Document count: 8 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python registry where event.type in ("creation", "change") and @@ -7364,7 +7364,7 @@ registry where event.type in ("creation", "change") and Branch count: 12 Document count: 12 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and @@ -7409,7 +7409,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 12 Document count: 12 -Index: geneve-ut-501 +Index: geneve-ut-0501 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and @@ -7454,7 +7454,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 2 Document count: 2 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -7466,7 +7466,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -7478,7 +7478,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python registry where @@ -7492,7 +7492,7 @@ registry where Branch count: 2 Document count: 2 -Index: geneve-ut-507 +Index: geneve-ut-0507 ```python registry where @@ -7510,7 +7510,7 @@ registry where Branch count: 18 Document count: 18 -Index: geneve-ut-509 +Index: geneve-ut-0509 ```python process where event.type == "start" and @@ -7525,7 +7525,7 @@ process where event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python sequence with maxspan=1m @@ -7539,7 +7539,7 @@ sequence with maxspan=1m Branch count: 16 Document count: 16 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python process where event.type == "start" and @@ -7553,7 +7553,7 @@ process where event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-512 +Index: geneve-ut-0512 ```python file where event.type == "creation" and process.name : "TeamViewer.exe" and @@ -7566,7 +7566,7 @@ file where event.type == "creation" and process.name : "TeamViewer.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python process where event.type == "start" and @@ -7580,7 +7580,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-514 +Index: geneve-ut-0514 ```python process where event.type == "start" and @@ -7594,7 +7594,7 @@ process where event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-515 +Index: geneve-ut-0515 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -7611,7 +7611,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python sequence by host.id, process.entity_id @@ -7627,7 +7627,7 @@ sequence by host.id, process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python /* Network Logon followed by Scheduled Task creation */ @@ -7647,7 +7647,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python event.category:process and event.type:(start or process_started) and @@ -7662,7 +7662,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 4 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -7681,7 +7681,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 3 Document count: 3 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python process where event.type == "start" and @@ -7695,7 +7695,7 @@ process where event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -7737,7 +7737,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 8 Document count: 16 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python sequence with maxspan=1s @@ -7784,7 +7784,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python process where event.type == "start" and @@ -7797,7 +7797,7 @@ process where event.type == "start" and Branch count: 72 Document count: 216 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python sequence by host.id with maxspan = 5s @@ -7814,7 +7814,7 @@ sequence by host.id with maxspan = 5s Branch count: 24 Document count: 24 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python event.category:(network or network_traffic) and network.protocol:http and @@ -7860,7 +7860,7 @@ event.category:(network or network_traffic) and network.protocol:http and Branch count: 4 Document count: 4 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python registry where event.type:"change" and @@ -7879,7 +7879,7 @@ registry where event.type:"change" and Branch count: 18 Document count: 18 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and @@ -7924,7 +7924,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 4 Document count: 4 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26)) @@ -7936,7 +7936,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 4 Document count: 4 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python event.category:file and event.type:(change or creation) and @@ -7961,7 +7961,7 @@ event.category:file and event.type:(change or creation) and Branch count: 20 Document count: 40 -Index: geneve-ut-531 +Index: geneve-ut-0531 ```python sequence by host.id with maxspan = 30s @@ -7977,7 +7977,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 4 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python registry where @@ -7993,7 +7993,7 @@ registry where Branch count: 27 Document count: 27 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python file where event.type != "deletion" and @@ -8034,7 +8034,7 @@ file where event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python any where event.provider: "Microsoft-Windows-Security-Auditing" and @@ -8068,7 +8068,7 @@ any where event.provider: "Microsoft-Windows-Security-Auditing" and Branch count: 2 Document count: 2 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python process where event.type == "start" and @@ -8082,7 +8082,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python process where event.type == "start" and @@ -8096,7 +8096,7 @@ process where event.type == "start" and Branch count: 58 Document count: 58 -Index: geneve-ut-538 +Index: geneve-ut-0538 ```python process where event.type == "start" and @@ -8142,7 +8142,7 @@ process.name : "grep" and user.id != "0" and Branch count: 135 Document count: 135 -Index: geneve-ut-539 +Index: geneve-ut-0539 ```python event.category:process and event.type:start and @@ -8185,7 +8185,7 @@ event.category:process and event.type:start and Branch count: 1 Document count: 1 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python event.action: "Authorization Policy Change" and event.code:4704 and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege" @@ -8197,7 +8197,7 @@ event.action: "Authorization Policy Change" and event.code:4704 and winlog.event Branch count: 16 Document count: 32 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python sequence by process.entity_id with maxspan = 1m @@ -8214,7 +8214,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -8234,7 +8234,7 @@ process where event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python sequence by winlog.computer_name with maxspan=5m @@ -8258,7 +8258,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 1 Document count: 1 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -8270,7 +8270,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 6 Document count: 12 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python sequence by host.id with maxspan=5s @@ -8284,7 +8284,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python process where event.type == "start" @@ -8298,7 +8298,7 @@ process where event.type == "start" Branch count: 4 Document count: 4 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python event.category:process and event.type:(start or process_started) and @@ -8312,7 +8312,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 28 Document count: 28 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python registry where registry.path : ( @@ -8336,7 +8336,7 @@ registry where registry.path : ( Branch count: 12 Document count: 24 -Index: geneve-ut-557 +Index: geneve-ut-0557 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -8361,7 +8361,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python file where event.type != "deletion" and @@ -8394,7 +8394,7 @@ file where event.type != "deletion" and Branch count: 60 Document count: 60 -Index: geneve-ut-559 +Index: geneve-ut-0559 ```python registry where registry.data.strings != null and @@ -8429,7 +8429,7 @@ registry where registry.data.strings != null and Branch count: 4 Document count: 4 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python file where event.type in ("change", "creation") and file.extension : "py" and @@ -8454,7 +8454,7 @@ file where event.type in ("change", "creation") and file.extension : "py" and Branch count: 2 Document count: 2 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) @@ -8466,7 +8466,7 @@ event.category:file and event.type:change and file.path:(/etc/sudoers* or /priva Branch count: 16 Document count: 16 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python process where event.type == "start" and @@ -8480,7 +8480,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python event.category:process and @@ -8496,7 +8496,7 @@ event.category:process and Branch count: 1 Document count: 1 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -8508,7 +8508,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 2 Document count: 4 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python sequence by host.id with maxspan=30s @@ -8522,7 +8522,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-568 +Index: geneve-ut-0568 ```python process where event.type in ("start", "process_started") and @@ -8552,7 +8552,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python event.category:file and event.action:modification and @@ -8576,7 +8576,7 @@ event.category:file and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-570 +Index: geneve-ut-0570 ```python process where event.type == "start" and @@ -8590,7 +8590,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-571 +Index: geneve-ut-0571 ```python event.category:process and event.type:(start or process_started) and @@ -8613,7 +8613,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-572 +Index: geneve-ut-0572 ```python process where event.type == "start" and @@ -8627,7 +8627,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python file where event.type != "deletion" and process.name != null and @@ -8640,7 +8640,7 @@ file where event.type != "deletion" and process.name != null and Branch count: 126 Document count: 126 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python any where @@ -8668,7 +8668,7 @@ any where Branch count: 44 Document count: 44 -Index: geneve-ut-575 +Index: geneve-ut-0575 ```python process where event.type in ("start", "process_started") and @@ -8704,7 +8704,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-576 +Index: geneve-ut-0576 ```python process where event.type == "start" and @@ -8723,7 +8723,7 @@ process where event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-578 +Index: geneve-ut-0578 ```python process where event.type == "start" and process.executable : "C:\\*" and @@ -8739,7 +8739,7 @@ process where event.type == "start" and process.executable : "C:\\*" and Branch count: 14 Document count: 14 -Index: geneve-ut-580 +Index: geneve-ut-0580 ```python process where event.type == "start" and @@ -8763,7 +8763,7 @@ process where event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python file where event.action == "creation" and user.name == "root" and @@ -8778,7 +8778,7 @@ and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", Branch count: 2 Document count: 2 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python event.category:process and event.type:(start or process_started) and @@ -8791,7 +8791,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 20 Document count: 20 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python any where @@ -8806,7 +8806,7 @@ any where Branch count: 2 Document count: 2 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python registry where registry.path : "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath" and @@ -8820,7 +8820,7 @@ registry where registry.path : "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePat Branch count: 16 Document count: 16 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python process where event.type in ("start", "process_started") and @@ -8834,7 +8834,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-587 +Index: geneve-ut-0587 ```python process where event.code == "10" and @@ -8853,7 +8853,7 @@ process where event.code == "10" and Branch count: 456 Document count: 456 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python process where event.type == "start" and @@ -8873,7 +8873,7 @@ process where event.type == "start" and Branch count: 52 Document count: 52 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python process where event.type == "start" and @@ -8894,7 +8894,7 @@ process where event.type == "start" and Branch count: 64 Document count: 128 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by process.entity_id with maxspan=5m @@ -8917,7 +8917,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 2 Document count: 2 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python library where process.executable : "?:\\Windows\\System32\\lsass.exe" and @@ -8993,7 +8993,7 @@ library where process.executable : "?:\\Windows\\System32\\lsass.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python sequence by process.entity_id with maxspan=1m @@ -9009,7 +9009,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 212 Document count: 212 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python process where event.type == "start" and @@ -9033,7 +9033,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python event.category:process and @@ -9048,7 +9048,7 @@ event.category:process and Branch count: 1 Document count: 1 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python file where event.type : "deletion" and @@ -9062,7 +9062,7 @@ file where event.type : "deletion" and Branch count: 1 Document count: 2 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python sequence by host.id with maxspan=30s @@ -9080,7 +9080,7 @@ sequence by host.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python file where event.type != "deletion" and @@ -9113,7 +9113,7 @@ file where event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-601 +Index: geneve-ut-0601 ```python file where event.type == "creation" and @@ -9132,7 +9132,7 @@ file where event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python process where event.type == "start" and @@ -9145,7 +9145,7 @@ process where event.type == "start" and Branch count: 32 Document count: 32 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and @@ -9172,7 +9172,7 @@ any where (event.category == "library" or (event.category == "process" and event Branch count: 1 Document count: 2 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m @@ -9190,7 +9190,7 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= Branch count: 2 Document count: 4 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python sequence by process.entity_id with maxspan=2m @@ -9224,7 +9224,7 @@ sequence by process.entity_id with maxspan=2m Branch count: 2 Document count: 2 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python process where event.type == "start" and @@ -9249,7 +9249,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python registry where @@ -9275,7 +9275,7 @@ registry where Branch count: 30 Document count: 30 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python any where @@ -9290,7 +9290,7 @@ any where Branch count: 48 Document count: 96 -Index: geneve-ut-611 +Index: geneve-ut-0611 ```python sequence by process.entity_id with maxspan = 2m @@ -9308,7 +9308,7 @@ sequence by process.entity_id with maxspan = 2m Branch count: 1 Document count: 1 -Index: geneve-ut-612 +Index: geneve-ut-0612 ```python process where event.type == "start" and @@ -9327,7 +9327,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python process where event.type == "start" and @@ -9340,7 +9340,7 @@ process where event.type == "start" and Branch count: 114 Document count: 114 -Index: geneve-ut-614 +Index: geneve-ut-0614 ```python process where event.type in ("start", "process_started") and @@ -9386,7 +9386,7 @@ process where event.type in ("start", "process_started") and Branch count: 2 Document count: 2 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python process where event.type == "start" and @@ -9418,7 +9418,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-618 +Index: geneve-ut-0618 ```python process where event.type == "start" and @@ -9431,7 +9431,7 @@ process where event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python file where event.type == "deletion" and @@ -9458,7 +9458,7 @@ file where event.type == "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python process where event.type == "start" and @@ -9475,7 +9475,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python event.category:process and event.type:(start or process_started) and @@ -9488,7 +9488,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 2 Document count: 2 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python event.category : process and event.type : (start or process_started) and process.name : mount_apfs and @@ -9501,7 +9501,7 @@ event.category : process and event.type : (start or process_started) and process Branch count: 90 Document count: 90 -Index: geneve-ut-623 +Index: geneve-ut-0623 ```python process where event.type in ("start", "process_started") and @@ -9524,7 +9524,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 2 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m @@ -9538,7 +9538,7 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m Branch count: 4 Document count: 4 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python file where event.type == "deletion" and @@ -9562,7 +9562,7 @@ file where event.type == "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python event.dataset:okta.system and event.action:security.threat.detected @@ -9574,7 +9574,7 @@ event.dataset:okta.system and event.action:security.threat.detected Branch count: 4 Document count: 4 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python process where event.type == "start" and @@ -9589,7 +9589,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python process where event.type == "start" and @@ -9606,7 +9606,7 @@ process where event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python file where event.type : "change" and process.name : "dllhost.exe" and @@ -9622,7 +9622,7 @@ file where event.type : "change" and process.name : "dllhost.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python process where event.type == "start" and @@ -9635,7 +9635,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python process where event.type == "start" and process.name : "Clipup.exe" and @@ -9650,7 +9650,7 @@ process where event.type == "start" and process.name : "Clipup.exe" and Branch count: 1 Document count: 1 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python process where event.type == "start" and @@ -9666,7 +9666,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python process where event.type == "start" and @@ -9681,7 +9681,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-636 +Index: geneve-ut-0636 ```python process where event.type == "start" and @@ -9697,7 +9697,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt @@ -9709,7 +9709,7 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt Branch count: 1 Document count: 1 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python process where event.type == "start" and process.parent.name == "ScreenSaverEngine" @@ -9721,7 +9721,7 @@ process where event.type == "start" and process.parent.name == "ScreenSaverEngin Branch count: 1 Document count: 1 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python process where event.type == "start" and @@ -9735,7 +9735,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python process where event.type == "start" and process.parent.name : "dns.exe" and @@ -9748,7 +9748,7 @@ process where event.type == "start" and process.parent.name : "dns.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python sequence with maxspan=1h @@ -9766,7 +9766,7 @@ sequence with maxspan=1h Branch count: 18 Document count: 18 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python file where event.type != "deletion" and @@ -9788,7 +9788,7 @@ file where event.type != "deletion" and Branch count: 29 Document count: 29 -Index: geneve-ut-648 +Index: geneve-ut-0648 ```python file where event.type == "creation" and @@ -9851,7 +9851,7 @@ file where event.type == "creation" and Branch count: 3 Document count: 3 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python file where process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and @@ -9864,7 +9864,7 @@ file where process.name : "dns.exe" and event.type in ("creation", "deletion", " Branch count: 400 Document count: 800 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python sequence by process.entity_id with maxspan=5m @@ -9920,7 +9920,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 1 Document count: 2 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -9939,7 +9939,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 1 Document count: 2 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -9958,7 +9958,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 24 Document count: 24 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python process where event.type == "start" and @@ -9995,7 +9995,7 @@ process where event.type == "start" and Branch count: 32 Document count: 32 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python process where event.type == "start" and @@ -10036,7 +10036,7 @@ process.parent.name != null and Branch count: 4 Document count: 4 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python registry where registry.path : ("HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath") and @@ -10061,7 +10061,7 @@ registry where registry.path : ("HKLM\\SYSTEM\\ControlSet*\\Services\\*\\Service Branch count: 32 Document count: 32 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python process where event.type == "start" and @@ -10084,7 +10084,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python process where event.type == "start" and @@ -10097,7 +10097,7 @@ process where event.type == "start" and Branch count: 144 Document count: 288 -Index: geneve-ut-673 +Index: geneve-ut-0673 ```python sequence by process.entity_id @@ -10134,7 +10134,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python process where event.type == "start" and @@ -10149,7 +10149,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-688 +Index: geneve-ut-0688 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success) @@ -10161,7 +10161,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a Branch count: 2 Document count: 2 -Index: geneve-ut-689 +Index: geneve-ut-0689 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success) @@ -10173,7 +10173,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s Branch count: 8 Document count: 8 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python iam where event.action == "added-member-to-group" and @@ -10193,7 +10193,7 @@ iam where event.action == "added-member-to-group" and Branch count: 1 Document count: 1 -Index: geneve-ut-691 +Index: geneve-ut-0691 ```python event.action:"Directory Service Changes" and event.code:5136 and winlog.event_data.ObjectClass:"user" @@ -10206,7 +10206,7 @@ and winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName" Branch count: 6 Document count: 6 -Index: geneve-ut-692 +Index: geneve-ut-0692 ```python event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and @@ -10251,7 +10251,7 @@ event.category:(network or network_traffic) and network.transport:tcp and destin Branch count: 6 Document count: 6 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and @@ -10296,7 +10296,7 @@ event.category:(network or network_traffic) and network.transport:tcp and destin Branch count: 10 Document count: 10 -Index: geneve-ut-694 +Index: geneve-ut-0694 ```python event.category:process and event.type:(start or process_started) and @@ -10314,7 +10314,7 @@ event.category:process and event.type:(start or process_started) and Branch count: 6 Document count: 6 -Index: geneve-ut-695 +Index: geneve-ut-0695 ```python process where event.type == "start" and @@ -10329,7 +10329,7 @@ process where event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python process where event.type in ("start", "process_started") and @@ -10346,7 +10346,7 @@ process where event.type in ("start", "process_started") and Branch count: 4 Document count: 4 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python process where event.type == "start" @@ -10360,7 +10360,7 @@ process where event.type == "start" Branch count: 60 Document count: 60 -Index: geneve-ut-698 +Index: geneve-ut-0698 ```python process where event.type == "start" and @@ -10376,7 +10376,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python process where event.type == "start" and @@ -10390,7 +10390,7 @@ process where event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-700 +Index: geneve-ut-0700 ```python sequence by host.id with maxspan = 2s @@ -10418,7 +10418,7 @@ sequence by host.id with maxspan = 2s Branch count: 1 Document count: 1 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python url.path:* @@ -10430,7 +10430,7 @@ url.path:* Branch count: 1 Document count: 1 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python http.response.status_code:403 and http.request.method:post @@ -10442,7 +10442,7 @@ http.response.status_code:403 and http.request.method:post Branch count: 1 Document count: 1 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python http.response.status_code:405 @@ -10454,7 +10454,7 @@ http.response.status_code:405 Branch count: 1 Document count: 1 -Index: geneve-ut-704 +Index: geneve-ut-0704 ```python user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" @@ -10466,7 +10466,7 @@ user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" Branch count: 42 Document count: 42 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python process where event.type == "start" and @@ -10480,7 +10480,7 @@ process where event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python event.category : process and event.type : start and @@ -10496,7 +10496,7 @@ event.category : process and event.type : start and Branch count: 5 Document count: 5 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python file where event.type == "deletion" and @@ -10513,7 +10513,7 @@ file where event.type == "deletion" and Branch count: 33 Document count: 33 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python process where event.type == "start" and process.name : "whoami.exe" and @@ -10542,7 +10542,7 @@ process where event.type == "start" and process.name : "whoami.exe" and Branch count: 24 Document count: 24 -Index: geneve-ut-710 +Index: geneve-ut-0710 ```python registry where event.type in ("creation", "change") and @@ -10575,7 +10575,7 @@ registry where event.type in ("creation", "change") and Branch count: 12 Document count: 12 -Index: geneve-ut-711 +Index: geneve-ut-0711 ```python process where event.type == "start" and @@ -10590,7 +10590,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python event.action:("audit-log-cleared" or "Log clear") @@ -10602,7 +10602,7 @@ event.action:("audit-log-cleared" or "Log clear") Branch count: 16 Document count: 16 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python process where event.action == "start" and @@ -10618,7 +10618,7 @@ process where event.action == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python process where event.type == "start" and @@ -10643,7 +10643,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python file where event.type == "creation" and @@ -10658,7 +10658,7 @@ file where event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-716 +Index: geneve-ut-0716 ```python process where event.type == "start" and @@ -10671,7 +10671,7 @@ process where event.type == "start" and Branch count: 144 Document count: 288 -Index: geneve-ut-717 +Index: geneve-ut-0717 ```python sequence by host.id with maxspan = 5s @@ -10710,7 +10710,7 @@ sequence by host.id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python event.action:"service-installed" and (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0") @@ -10722,7 +10722,7 @@ event.action:"service-installed" and (winlog.event_data.ClientProcessId:"0" or Branch count: 2 Document count: 2 -Index: geneve-ut-719 +Index: geneve-ut-0719 ```python process where event.type == "start" and @@ -10736,7 +10736,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python event.type:creation and event.module:zoom and event.dataset:zoom.webhook and diff --git a/tests/reports/alerts_from_rules-8.4.md b/tests/reports/alerts_from_rules-8.4.md index e934fc7e..fb4a7ac7 100644 --- a/tests/reports/alerts_from_rules-8.4.md +++ b/tests/reports/alerts_from_rules-8.4.md @@ -18,7 +18,7 @@ Rules version: 8.4.5 Branch count: 2 Document count: 2 -Index: geneve-ut-130 +Index: geneve-ut-0130 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -30,7 +30,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 6 Document count: 6 -Index: geneve-ut-133 +Index: geneve-ut-0133 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -48,7 +48,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -66,7 +66,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 1024 Document count: 10240 -Index: geneve-ut-461 +Index: geneve-ut-0461 Failure message(s): got 1000 signals, expected 1024 @@ -82,7 +82,7 @@ sequence by host.id, source.ip, user.name with maxspan=10s Branch count: 84 Document count: 84 -Index: geneve-ut-494 +Index: geneve-ut-0494 Failure message(s): got 48 signals, expected 84 @@ -98,7 +98,7 @@ process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "ww Branch count: 4608 Document count: 4608 -Index: geneve-ut-614 +Index: geneve-ut-0614 Failure message(s): got 1000 signals, expected 4608 @@ -151,7 +151,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where host.os.type == "windows" and event.action == "scheduled-task-created" and @@ -173,7 +173,7 @@ iam where host.os.type == "windows" and event.action == "scheduled-task-created" Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where host.os.type == "windows" and event.action == "scheduled-task-updated" and @@ -194,7 +194,7 @@ iam where host.os.type == "windows" and event.action == "scheduled-task-updated" Branch count: 1 Document count: 1 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue @@ -206,7 +206,7 @@ event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-003 +Index: geneve-ut-0003 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -218,7 +218,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-0004 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success @@ -230,7 +230,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-0005 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -242,7 +242,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-0006 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -254,7 +254,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-0007 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -266,7 +266,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -278,7 +278,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -290,7 +290,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -305,7 +305,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -317,7 +317,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -330,7 +330,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -342,7 +342,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -356,7 +356,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -368,7 +368,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -380,7 +380,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -392,7 +392,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -404,7 +404,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-019 +Index: geneve-ut-0019 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -417,7 +417,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-020 +Index: geneve-ut-0020 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -430,7 +430,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-021 +Index: geneve-ut-0021 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -444,7 +444,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -457,7 +457,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success @@ -469,7 +469,7 @@ event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -481,7 +481,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-025 +Index: geneve-ut-0025 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -493,7 +493,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-027 +Index: geneve-ut-0027 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -505,7 +505,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -517,7 +517,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -529,7 +529,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -541,7 +541,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -553,7 +553,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -565,7 +565,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -577,7 +577,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -589,7 +589,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -601,7 +601,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -613,7 +613,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-038 +Index: geneve-ut-0038 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -625,7 +625,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-039 +Index: geneve-ut-0039 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -637,7 +637,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-040 +Index: geneve-ut-0040 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -649,7 +649,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and @@ -662,7 +662,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-042 +Index: geneve-ut-0042 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -674,7 +674,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-043 +Index: geneve-ut-0043 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -689,7 +689,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-044 +Index: geneve-ut-0044 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -701,7 +701,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-045 +Index: geneve-ut-0045 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -713,7 +713,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -726,7 +726,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -739,7 +739,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -752,7 +752,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -767,7 +767,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 4 Document count: 4 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or @@ -780,7 +780,7 @@ UpdateSAMLProvider) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -793,7 +793,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 6 Document count: 6 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or @@ -807,7 +807,7 @@ RevokeSecurityGroupIngress) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and @@ -820,7 +820,7 @@ aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event. Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -832,7 +832,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-055 +Index: geneve-ut-0055 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -844,7 +844,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -856,7 +856,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 6 Document count: 6 -Index: geneve-ut-058 +Index: geneve-ut-0058 ```python event.category:(network or network_traffic) and destination.port:53 and @@ -869,7 +869,7 @@ event.category:(network or network_traffic) and destination.port:53 and Branch count: 8 Document count: 8 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python event.category:(network or network_traffic) and destination.port:23 @@ -885,7 +885,7 @@ event.category:(network or network_traffic) and destination.port:23 Branch count: 26 Document count: 26 -Index: geneve-ut-060 +Index: geneve-ut-0060 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -913,7 +913,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -951,7 +951,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python any where host.os.type == "windows" and event.action == "Directory Service Access" and event.code == "4662" and @@ -986,7 +986,7 @@ any where host.os.type == "windows" and event.action == "Directory Service Acces Branch count: 4 Document count: 4 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1002,7 +1002,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-065 +Index: geneve-ut-0065 ```python sequence by winlog.computer_name with maxspan=5m @@ -1029,7 +1029,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 36 Document count: 36 -Index: geneve-ut-066 +Index: geneve-ut-0066 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1049,7 +1049,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1062,7 +1062,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-068 +Index: geneve-ut-0068 ```python event.action:"Directory Service Changes" and host.os.type:windows and event.code:5136 and @@ -1075,7 +1075,7 @@ event.action:"Directory Service Changes" and host.os.type:windows and event.code Branch count: 1 Document count: 1 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1087,7 +1087,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1099,7 +1099,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1114,7 +1114,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-073 +Index: geneve-ut-0073 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1126,7 +1126,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 1 Document count: 1 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.agent_id_status:agent_id_mismatch @@ -1138,7 +1138,7 @@ event.agent_id_status:agent_id_mismatch Branch count: 1 Document count: 2 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1157,7 +1157,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1170,7 +1170,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1182,7 +1182,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-083 +Index: geneve-ut-0083 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1197,7 +1197,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 1 Document count: 1 -Index: geneve-ut-084 +Index: geneve-ut-0084 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1209,7 +1209,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-085 +Index: geneve-ut-0085 ```python event.dataset:okta.system and event.action:user.mfa.factor.deactivate @@ -1221,7 +1221,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-086 +Index: geneve-ut-0086 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1233,7 +1233,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-087 +Index: geneve-ut-0087 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1245,7 +1245,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-088 +Index: geneve-ut-0088 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1257,7 +1257,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-089 +Index: geneve-ut-0089 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1269,7 +1269,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-090 +Index: geneve-ut-0090 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1281,7 +1281,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-091 +Index: geneve-ut-0091 ```python event.dataset:okta.system and event.action:zone.delete @@ -1293,7 +1293,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-092 +Index: geneve-ut-0092 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -1305,7 +1305,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-093 +Index: geneve-ut-0093 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -1317,7 +1317,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 2 Document count: 2 -Index: geneve-ut-094 +Index: geneve-ut-0094 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1330,7 +1330,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 17 Document count: 17 -Index: geneve-ut-095 +Index: geneve-ut-0095 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -1357,7 +1357,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -1373,7 +1373,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-097 +Index: geneve-ut-0097 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1386,7 +1386,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-098 +Index: geneve-ut-0098 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1405,7 +1405,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-099 +Index: geneve-ut-0099 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1420,7 +1420,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-100 +Index: geneve-ut-0100 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -1432,7 +1432,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-101 +Index: geneve-ut-0101 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -1444,7 +1444,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-102 +Index: geneve-ut-0102 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -1456,7 +1456,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -1468,7 +1468,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1487,7 +1487,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1505,7 +1505,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-106 +Index: geneve-ut-0106 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -1517,7 +1517,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-107 +Index: geneve-ut-0107 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -1529,7 +1529,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1542,7 +1542,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -1554,7 +1554,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 1 Document count: 1 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -1569,7 +1569,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-113 +Index: geneve-ut-0113 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -1583,7 +1583,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python event.dataset:azure.signinlogs and @@ -1597,7 +1597,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python event.dataset:azure.signinlogs and @@ -1610,7 +1610,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python event.dataset:azure.signinlogs and @@ -1624,7 +1624,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-117 +Index: geneve-ut-0117 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -1637,7 +1637,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -1649,7 +1649,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -1661,7 +1661,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python event.dataset:azure.activitylogs and @@ -1680,7 +1680,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.dataset:azure.activitylogs and @@ -1694,7 +1694,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-122 +Index: geneve-ut-0122 ```python event.dataset:azure.activitylogs and @@ -1712,7 +1712,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -1724,7 +1724,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -1739,7 +1739,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -1751,7 +1751,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -1764,7 +1764,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -1776,7 +1776,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-128 +Index: geneve-ut-0128 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -1788,7 +1788,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-129 +Index: geneve-ut-0129 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -1800,7 +1800,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-131 +Index: geneve-ut-0131 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -1812,7 +1812,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-132 +Index: geneve-ut-0132 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -1824,7 +1824,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -1836,7 +1836,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -1849,7 +1849,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -1862,7 +1862,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-138 +Index: geneve-ut-0138 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -1877,7 +1877,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -1889,7 +1889,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -1901,7 +1901,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -1913,7 +1913,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -1925,7 +1925,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -1937,7 +1937,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -1949,7 +1949,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -1967,7 +1967,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" @@ -1979,7 +1979,7 @@ process where host.os.type == "linux" and event.type != "end" and process.execut Branch count: 8 Document count: 8 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -1992,7 +1992,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 9 Document count: 9 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.category:file and event.type:change and @@ -2027,7 +2027,7 @@ event.category:file and event.type:change and Branch count: 8 Document count: 8 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python process where host.os.type == "linux" and event.type == "start" and @@ -2047,7 +2047,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2065,7 +2065,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where host.os.type == "linux" and event.type == "start" and @@ -2081,7 +2081,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2097,7 +2097,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2119,7 +2119,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 17 Document count: 17 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2139,7 +2139,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -2156,7 +2156,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 12 Document count: 12 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -2176,7 +2176,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python sequence by process.entity_id @@ -2196,7 +2196,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2213,7 +2213,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 56 Document count: 56 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python registry where host.os.type == "windows" and @@ -2265,7 +2265,7 @@ registry where host.os.type == "windows" and Branch count: 24 Document count: 24 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -2290,7 +2290,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python sequence by process.entity_id @@ -2310,7 +2310,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-165 +Index: geneve-ut-0165 ```python sequence by process.entity_id @@ -2330,7 +2330,7 @@ sequence by process.entity_id Branch count: 24 Document count: 24 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2356,7 +2356,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -2376,7 +2376,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -2389,7 +2389,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-170 +Index: geneve-ut-0170 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" @@ -2401,7 +2401,7 @@ file where host.os.type == "linux" and event.type == "creation" and file.extensi Branch count: 2 Document count: 2 -Index: geneve-ut-171 +Index: geneve-ut-0171 ```python registry where host.os.type == "windows" and registry.path : ( @@ -2416,7 +2416,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 2 Document count: 2 -Index: geneve-ut-172 +Index: geneve-ut-0172 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -2428,7 +2428,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 16 Document count: 16 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -2461,7 +2461,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 2 Document count: 2 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -2476,7 +2476,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2491,7 +2491,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2503,7 +2503,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2515,7 +2515,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2527,7 +2527,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2539,7 +2539,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -2551,7 +2551,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python event.dataset:cyberarkpas.audit and @@ -2566,7 +2566,7 @@ event.dataset:cyberarkpas.audit and Branch count: 4 Document count: 4 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -2584,7 +2584,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 6 Document count: 6 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or @@ -2598,7 +2598,7 @@ event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A4 Branch count: 2 Document count: 2 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2612,7 +2612,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2626,7 +2626,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 8 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python sequence by process.entity_id @@ -2653,7 +2653,7 @@ sequence by process.entity_id Branch count: 12 Document count: 12 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2675,7 +2675,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-189 +Index: geneve-ut-0189 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2692,7 +2692,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-190 +Index: geneve-ut-0190 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -2714,7 +2714,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2728,7 +2728,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -2740,7 +2740,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python event.category:process and host.os.type:macos and event.type:start and @@ -2753,7 +2753,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -2765,7 +2765,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 8 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python sequence by process.entity_id with maxspan=1m @@ -2780,7 +2780,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -2792,7 +2792,7 @@ event.category:process and event.type:(start or process_started) and process.nam Branch count: 199 Document count: 199 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python process where @@ -2820,7 +2820,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -2833,7 +2833,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2847,7 +2847,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python registry where host.os.type == "windows" and @@ -2861,7 +2861,7 @@ registry where host.os.type == "windows" and Branch count: 34 Document count: 34 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2885,7 +2885,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -2897,7 +2897,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 2 Document count: 2 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2911,7 +2911,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2927,7 +2927,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2965,7 +2965,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 64 Document count: 64 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2990,7 +2990,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -3003,7 +3003,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python iam where host.os.type == "windows" and event.action == "user-member-enumerated" and @@ -3060,7 +3060,7 @@ iam where host.os.type == "windows" and event.action == "user-member-enumerated" Branch count: 46 Document count: 46 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -3090,7 +3090,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text : "New-MailboxExportRequest" @@ -3102,7 +3102,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 2 Document count: 2 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3121,7 +3121,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python sequence with maxspan=2h @@ -3144,7 +3144,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python sequence with maxspan=2h @@ -3169,7 +3169,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -3198,7 +3198,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-217 +Index: geneve-ut-0217 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -3210,7 +3210,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3225,7 +3225,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -3237,7 +3237,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 4 Document count: 4 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python process where host.os.type == "windows" and event.type : "start" and @@ -3262,7 +3262,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-221 +Index: geneve-ut-0221 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -3274,7 +3274,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -3288,7 +3288,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3300,7 +3300,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3312,7 +3312,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3326,7 +3326,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -3338,7 +3338,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 19 Document count: 19 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3389,7 +3389,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 1 -Index: geneve-ut-229 +Index: geneve-ut-0229 ```python file where host.os.type == "windows" and event.code : "2" and @@ -3418,7 +3418,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 8 Document count: 8 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and @@ -3431,7 +3431,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 24 Document count: 24 -Index: geneve-ut-231 +Index: geneve-ut-0231 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -3446,7 +3446,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 375 Document count: 750 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python sequence by process.entity_id @@ -3473,7 +3473,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python process where host.os.type == "linux" and event.type == "start" and user.name == "root" and @@ -3487,7 +3487,7 @@ process where host.os.type == "linux" and event.type == "start" and user.name == Branch count: 2 Document count: 2 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -3513,7 +3513,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-237 +Index: geneve-ut-0237 ```python event.dataset: google_workspace.alert @@ -3525,7 +3525,7 @@ event.dataset: google_workspace.alert Branch count: 4 Document count: 4 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" and @@ -3539,7 +3539,7 @@ registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Mi Branch count: 2 Document count: 2 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -3551,7 +3551,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -3563,7 +3563,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -3575,7 +3575,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -3587,7 +3587,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -3599,7 +3599,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -3611,7 +3611,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -3623,7 +3623,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-246 +Index: geneve-ut-0246 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -3635,7 +3635,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -3647,7 +3647,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -3659,7 +3659,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -3671,7 +3671,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -3683,7 +3683,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -3695,7 +3695,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -3707,7 +3707,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -3719,7 +3719,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -3731,7 +3731,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -3743,7 +3743,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -3755,7 +3755,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -3767,7 +3767,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -3779,7 +3779,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -3791,7 +3791,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -3803,7 +3803,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-261 +Index: geneve-ut-0261 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -3815,7 +3815,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -3828,7 +3828,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-263 +Index: geneve-ut-0263 ```python event.dataset:"google_workspace.admin" and event.action:"2sv_disable" @@ -3840,7 +3840,7 @@ event.dataset:"google_workspace.admin" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS @@ -3852,7 +3852,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-265 +Index: geneve-ut-0265 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -3865,7 +3865,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -3877,7 +3877,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -3890,7 +3890,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-268 +Index: geneve-ut-0268 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -3902,7 +3902,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-269 +Index: geneve-ut-0269 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -3915,7 +3915,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -3932,7 +3932,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -3946,7 +3946,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python sequence by source.user.email with maxspan=3m @@ -3970,7 +3970,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -3991,7 +3991,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4005,7 +4005,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -4017,7 +4017,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-276 +Index: geneve-ut-0276 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -4029,7 +4029,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-277 +Index: geneve-ut-0277 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -4042,7 +4042,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-279 +Index: geneve-ut-0279 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4055,7 +4055,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python sequence by process.entity_id with maxspan=5m @@ -4072,7 +4072,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-285 +Index: geneve-ut-0285 ```python any where @@ -4099,7 +4099,7 @@ any where Branch count: 6 Document count: 6 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3) @@ -4111,7 +4111,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4126,7 +4126,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python event.category:(network or network_traffic) and network.transport:udp and destination.port:4500 @@ -4138,7 +4138,7 @@ event.category:(network or network_traffic) and network.transport:udp and destin Branch count: 8 Document count: 8 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4155,7 +4155,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python sequence with maxspan=1m @@ -4174,7 +4174,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python sequence by host.id with maxspan=1m @@ -4192,7 +4192,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python sequence by host.id with maxspan=5s @@ -4211,7 +4211,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python sequence by host.id with maxspan = 30s @@ -4226,7 +4226,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python sequence by host.id with maxspan=30s @@ -4242,7 +4242,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 4 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -4258,7 +4258,7 @@ sequence by process.entity_id Branch count: 4 Document count: 8 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python sequence by process.entity_id with maxspan = 5m @@ -4274,7 +4274,7 @@ sequence by process.entity_id with maxspan = 5m Branch count: 4 Document count: 4 -Index: geneve-ut-300 +Index: geneve-ut-0300 ```python registry where host.os.type == "windows" and @@ -4293,7 +4293,7 @@ registry where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -4306,7 +4306,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-302 +Index: geneve-ut-0302 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -4322,7 +4322,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-303 +Index: geneve-ut-0303 ```python event.action:modified-user-account and host.os.type:windows and event.code:4738 and @@ -4335,7 +4335,7 @@ event.action:modified-user-account and host.os.type:windows and event.code:4738 Branch count: 2 Document count: 2 -Index: geneve-ut-304 +Index: geneve-ut-0304 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4349,7 +4349,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python network where host.os.type == "windows" and event.type == "start" and network.direction : ("outgoing", "egress") and @@ -4397,7 +4397,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 6 Document count: 6 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -4410,7 +4410,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-308 +Index: geneve-ut-0308 ```python process where host.os.type == "linux" and event.type == "start" and @@ -4423,7 +4423,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python process where host.os.type == "macos" and event.type == "start" and @@ -4438,7 +4438,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python event.dataset : "kubernetes.audit_logs" @@ -4453,7 +4453,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python event.dataset: "kubernetes.audit_logs" @@ -4467,7 +4467,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python event.dataset : "kubernetes.audit_logs" @@ -4483,7 +4483,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python event.dataset : "kubernetes.audit_logs" @@ -4500,7 +4500,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python event.dataset : "kubernetes.audit_logs" @@ -4517,7 +4517,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python event.dataset : "kubernetes.audit_logs" @@ -4534,7 +4534,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-317 +Index: geneve-ut-0317 ```python event.dataset : "kubernetes.audit_logs" @@ -4567,7 +4567,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python event.dataset : "kubernetes.audit_logs" @@ -4584,7 +4584,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-319 +Index: geneve-ut-0319 ```python event.dataset : "kubernetes.audit_logs" @@ -4601,7 +4601,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python event.dataset : "kubernetes.audit_logs" @@ -4618,7 +4618,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python event.dataset : "kubernetes.audit_logs" @@ -4634,7 +4634,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python file where host.os.type == "windows" and file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdmp", "Coredump.dmp") and @@ -4653,7 +4653,7 @@ file where host.os.type == "windows" and file.name : ("lsass*.dmp", "dumpert.dmp Branch count: 18 Document count: 18 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python any where host.os.type == "windows" and event.action == "File System" and event.code == "4656" and @@ -4687,7 +4687,7 @@ any where host.os.type == "windows" and event.action == "File System" and event. Branch count: 8 Document count: 8 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -4705,7 +4705,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python sequence by host.id with maxspan=1m @@ -4721,7 +4721,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python sequence by host.id with maxspan=1m @@ -4735,7 +4735,7 @@ sequence by host.id with maxspan=1m Branch count: 99 Document count: 99 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python process where host.os.type == "linux" and event.type == "start" and @@ -4781,7 +4781,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python registry where host.os.type == "windows" and registry.path : ( @@ -4796,7 +4796,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 600 Document count: 1200 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python sequence with maxspan=1m @@ -4821,7 +4821,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -4833,7 +4833,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 96 Document count: 96 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -4857,7 +4857,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 48 Document count: 96 -Index: geneve-ut-332 +Index: geneve-ut-0332 ```python sequence by host.id, user.id with maxspan=30s @@ -4871,7 +4871,7 @@ sequence by host.id, user.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-333 +Index: geneve-ut-0333 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -4883,7 +4883,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-334 +Index: geneve-ut-0334 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -4895,7 +4895,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -4907,7 +4907,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -4919,7 +4919,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -4931,7 +4931,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -4943,7 +4943,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-340 +Index: geneve-ut-0340 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -4955,7 +4955,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -4967,7 +4967,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -4979,7 +4979,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -4991,7 +4991,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -5003,7 +5003,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -5015,7 +5015,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -5027,7 +5027,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-347 +Index: geneve-ut-0347 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -5040,7 +5040,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -5059,7 +5059,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-349 +Index: geneve-ut-0349 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -5071,7 +5071,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-350 +Index: geneve-ut-0350 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -5086,7 +5086,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-351 +Index: geneve-ut-0351 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -5100,7 +5100,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-352 +Index: geneve-ut-0352 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -5114,7 +5114,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-353 +Index: geneve-ut-0353 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -5126,7 +5126,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-354 +Index: geneve-ut-0354 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -5138,7 +5138,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 3 Document count: 3 -Index: geneve-ut-355 +Index: geneve-ut-0355 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5152,7 +5152,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-356 +Index: geneve-ut-0356 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5166,7 +5166,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-357 +Index: geneve-ut-0357 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5180,7 +5180,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-358 +Index: geneve-ut-0358 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5201,7 +5201,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-359 +Index: geneve-ut-0359 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5215,7 +5215,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-360 +Index: geneve-ut-0360 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5234,7 +5234,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-361 +Index: geneve-ut-0361 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -5259,7 +5259,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 8 Document count: 8 -Index: geneve-ut-362 +Index: geneve-ut-0362 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5274,7 +5274,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-363 +Index: geneve-ut-0363 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5288,7 +5288,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-364 +Index: geneve-ut-0364 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5302,7 +5302,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 30 Document count: 30 -Index: geneve-ut-365 +Index: geneve-ut-0365 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5342,7 +5342,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 1 Document count: 1 -Index: geneve-ut-366 +Index: geneve-ut-0366 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -5354,7 +5354,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 12 Document count: 12 -Index: geneve-ut-367 +Index: geneve-ut-0367 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5372,7 +5372,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 4 Document count: 4 -Index: geneve-ut-368 +Index: geneve-ut-0368 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5389,7 +5389,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload @@ -5401,7 +5401,7 @@ event.category:file and host.os.type:linux and not event.type:deletion and file. Branch count: 1 Document count: 1 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python event.category:process and host.os.type:macos and event.type:start and @@ -5427,7 +5427,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python event.category:file and host.os.type:linux and event.type:change and @@ -5442,7 +5442,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python event.category:process and host.os.type:macos and event.type:start and @@ -5464,7 +5464,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 3 Document count: 3 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python event.category:file and event.type:change and @@ -5504,7 +5504,7 @@ event.category:file and event.type:change and Branch count: 16 Document count: 16 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -5521,7 +5521,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 1 Document count: 1 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python event.action:"Directory Service Changes" and host.os.type:windows and event.code:"5136" and @@ -5535,7 +5535,7 @@ event.action:"Directory Service Changes" and host.os.type:windows and event.code Branch count: 2 Document count: 2 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -5547,7 +5547,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 12 Document count: 12 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5566,7 +5566,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python sequence by process.entity_id @@ -5581,7 +5581,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python sequence by process.entity_id with maxspan=10m @@ -5599,7 +5599,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -5611,7 +5611,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -5636,7 +5636,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -5662,7 +5662,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 4 Document count: 8 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -5684,7 +5684,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 84 Document count: 84 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5703,7 +5703,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -5718,7 +5718,7 @@ not process.args : "/usr/bin/snap" Branch count: 1 Document count: 2 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python sequence by process.entity_id @@ -5738,7 +5738,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python sequence by process.entity_id @@ -5757,7 +5757,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python sequence by process.entity_id @@ -5776,7 +5776,7 @@ sequence by process.entity_id Branch count: 18 Document count: 36 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python sequence by process.entity_id @@ -5801,7 +5801,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python sequence by process.entity_id @@ -5823,7 +5823,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python registry where host.os.type == "windows" and registry.data.strings != null and @@ -5846,7 +5846,7 @@ registry where host.os.type == "windows" and registry.data.strings != null and Branch count: 3 Document count: 3 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5859,7 +5859,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -5873,7 +5873,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping @@ -5885,7 +5885,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -5897,7 +5897,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -5911,7 +5911,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -5923,7 +5923,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-404 +Index: geneve-ut-0404 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -5935,7 +5935,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -5947,7 +5947,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 36 Document count: 72 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -5962,7 +5962,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5976,7 +5976,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -5988,7 +5988,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -6000,7 +6000,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6018,7 +6018,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -6031,7 +6031,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -6045,7 +6045,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 66 Document count: 132 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python sequence by host.id with maxspan=5s @@ -6061,7 +6061,7 @@ sequence by host.id with maxspan=5s Branch count: 12 Document count: 12 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python /* Registry Path ends with backslash */ @@ -6086,7 +6086,7 @@ registry where host.os.type == "windows" and /* length(registry.data.strings) > Branch count: 32 Document count: 32 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -6111,7 +6111,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python process where host.os.type == "macos" and event.type == "start" and @@ -6131,7 +6131,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6150,7 +6150,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6163,7 +6163,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6179,7 +6179,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6192,7 +6192,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-422 +Index: geneve-ut-0422 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6211,7 +6211,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6239,7 +6239,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-424 +Index: geneve-ut-0424 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6254,7 +6254,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python registry where host.os.type == "windows" and @@ -6317,7 +6317,7 @@ registry where host.os.type == "windows" and Branch count: 7 Document count: 7 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and @@ -6340,7 +6340,7 @@ file where host.os.type == "windows" and event.type != "deletion" and user.domai Branch count: 2 Document count: 2 -Index: geneve-ut-427 +Index: geneve-ut-0427 ```python registry where host.os.type == "windows" and registry.path : ( @@ -6355,7 +6355,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-428 +Index: geneve-ut-0428 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -6373,7 +6373,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-430 +Index: geneve-ut-0430 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -6385,7 +6385,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 1 Document count: 3 -Index: geneve-ut-431 +Index: geneve-ut-0431 ```python sequence by user.email with maxspan=10m @@ -6400,7 +6400,7 @@ sequence by user.email with maxspan=10m Branch count: 16 Document count: 16 -Index: geneve-ut-432 +Index: geneve-ut-0432 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -6413,7 +6413,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-434 +Index: geneve-ut-0434 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -6427,7 +6427,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 2 Document count: 6 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python sequence by host.id, user.name with maxspan = 5s @@ -6456,7 +6456,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 63 Document count: 63 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python process where event.type in ("start", "process_started", "info") and @@ -6480,7 +6480,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 6 Document count: 6 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python any where host.os.type == "windows" and event.action == "Directory Service Access" and @@ -6512,7 +6512,7 @@ any where host.os.type == "windows" and event.action == "Directory Service Acces Branch count: 1 Document count: 1 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python process where host.os.type == "windows" and event.code == "10" and @@ -6530,7 +6530,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python process where host.os.type == "windows" and event.code == "10" and @@ -6549,7 +6549,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 4 -Index: geneve-ut-440 +Index: geneve-ut-0440 ```python sequence by process.entity_id with maxspan=1m @@ -6567,7 +6567,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-441 +Index: geneve-ut-0441 ```python sequence by process.entity_id @@ -6582,7 +6582,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6603,7 +6603,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-444 +Index: geneve-ut-0444 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6624,7 +6624,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined) @@ -6636,7 +6636,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python process where event.action == "exec" and process.parent.name =="proot" and host.os.type == "linux" @@ -6648,7 +6648,7 @@ process where event.action == "exec" and process.parent.name =="proot" and host Branch count: 2 Document count: 2 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0 @@ -6660,7 +6660,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6673,7 +6673,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6686,7 +6686,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-451 +Index: geneve-ut-0451 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -6699,7 +6699,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python process where process.name=="mount" and event.action =="exec" and @@ -6713,7 +6713,7 @@ process where process.name=="mount" and event.action =="exec" and Branch count: 60 Document count: 120 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python sequence by host.id with maxspan=1m @@ -6749,7 +6749,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python event.category:process and host.os.type:macos and event.type:start and @@ -6762,7 +6762,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -6780,7 +6780,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -6794,7 +6794,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 16 Document count: 32 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python sequence by host.id with maxspan=30s @@ -6812,7 +6812,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python process where host.os.type == "linux" and process.name == "unshadow" and @@ -6825,7 +6825,7 @@ process where host.os.type == "linux" and process.name == "unshadow" and Branch count: 6 Document count: 6 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6844,7 +6844,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-463 +Index: geneve-ut-0463 ```python event.category:file and host.os.type:macos and not event.type:deletion and file.name:~$*.zip and host.os.type:macos @@ -6856,7 +6856,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and file. Branch count: 16 Document count: 16 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6896,7 +6896,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python sequence by process.entity_id with maxspan=1m @@ -6915,7 +6915,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -6955,7 +6955,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 1 Document count: 1 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -6968,7 +6968,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -6983,7 +6983,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -6996,7 +6996,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -7013,7 +7013,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 8 Document count: 8 -Index: geneve-ut-473 +Index: geneve-ut-0473 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -7033,7 +7033,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 225 Document count: 225 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python event.category:process and host.os.type:windows and @@ -7160,7 +7160,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -7176,7 +7176,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -7190,7 +7190,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 8 Document count: 8 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python /* This rule is compatible with both Sysmon and Elastic Endpoint */ @@ -7213,7 +7213,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -7225,7 +7225,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 1 Document count: 1 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -7237,7 +7237,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python iam where host.os.type == "windows" and event.action == "renamed-user-account" and @@ -7251,7 +7251,7 @@ iam where host.os.type == "windows" and event.action == "renamed-user-account" a Branch count: 1 Document count: 2 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python sequence with maxspan=5s @@ -7271,7 +7271,7 @@ sequence with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python process where host.os.type == "linux" and event.type == "start" and @@ -7284,7 +7284,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python sequence by host.id, user.id with maxspan=1m @@ -7308,7 +7308,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 5 Document count: 5 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python /* Identifies the modification of RDP Shadow registry or @@ -7335,7 +7335,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7350,7 +7350,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 80 Document count: 80 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python process where event.type in ("start", "process_started") and @@ -7369,7 +7369,7 @@ process where event.type in ("start", "process_started") and Branch count: 64 Document count: 192 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python sequence by host.id, source.ip with maxspan=10s @@ -7384,7 +7384,7 @@ sequence by host.id, source.ip with maxspan=10s Branch count: 8 Document count: 24 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python sequence by host.id, source.ip, user.name with maxspan=3s @@ -7401,7 +7401,7 @@ sequence by host.id, source.ip, user.name with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-490 +Index: geneve-ut-0490 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -7413,7 +7413,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 1 Document count: 1 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python event.action:"Directory Service Changes" and host.os.type:windows and event.code:"5136" and @@ -7427,7 +7427,7 @@ event.action:"Directory Service Changes" and host.os.type:windows and event.code Branch count: 8 Document count: 8 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "root" @@ -7466,7 +7466,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 32 Document count: 96 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -7494,7 +7494,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 16 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -7510,7 +7510,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 7 Document count: 7 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python event.category:process and host.os.type:windows and @@ -7532,7 +7532,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-498 +Index: geneve-ut-0498 ```python event.category:process and host.os.type:windows and @@ -7547,7 +7547,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python event.category:process and host.os.type:windows and @@ -7570,7 +7570,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-501 +Index: geneve-ut-0501 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -7582,7 +7582,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python event.category:process and host.os.type:windows and @@ -7605,7 +7605,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7621,7 +7621,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 48 Document count: 48 -Index: geneve-ut-507 +Index: geneve-ut-0507 ```python event.category:process and host.os.type:windows and @@ -7661,7 +7661,7 @@ event.category:process and host.os.type:windows and Branch count: 2 Document count: 2 -Index: geneve-ut-512 +Index: geneve-ut-0512 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7675,7 +7675,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -7689,7 +7689,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-514 +Index: geneve-ut-0514 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -7702,7 +7702,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 4 Document count: 4 -Index: geneve-ut-515 +Index: geneve-ut-0515 ```python registry where host.os.type == "windows" and registry.path : ( @@ -7720,7 +7720,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -7738,7 +7738,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7752,7 +7752,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 96 Document count: 96 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -7827,7 +7827,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python sequence by winlog.computer_name with maxspan=1m @@ -7848,7 +7848,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 66 Document count: 66 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7886,7 +7886,7 @@ process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Wind Branch count: 2 Document count: 2 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -7898,7 +7898,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -7910,7 +7910,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" @@ -7922,7 +7922,7 @@ process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemote Branch count: 3 Document count: 6 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python sequence by host.id with maxspan=5s @@ -7946,7 +7946,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7960,7 +7960,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -7973,7 +7973,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 2 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python sequence by process.entity_id @@ -7997,7 +7997,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-530 +Index: geneve-ut-0530 ```python sequence by user.id, host.id with maxspan=15s @@ -8016,7 +8016,7 @@ sequence by user.id, host.id with maxspan=15s Branch count: 12 Document count: 12 -Index: geneve-ut-531 +Index: geneve-ut-0531 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and @@ -8061,7 +8061,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 16 Document count: 16 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -8080,7 +8080,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 12 Document count: 12 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and @@ -8125,7 +8125,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 12 Document count: 12 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and @@ -8170,7 +8170,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 2 Document count: 2 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -8182,7 +8182,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -8194,7 +8194,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-539 +Index: geneve-ut-0539 ```python registry where host.os.type == "windows" and @@ -8211,7 +8211,7 @@ registry where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python registry where host.os.type == "windows" and @@ -8233,7 +8233,7 @@ registry where host.os.type == "windows" and Branch count: 18 Document count: 18 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8248,7 +8248,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python sequence with maxspan=1m @@ -8262,7 +8262,7 @@ sequence with maxspan=1m Branch count: 16 Document count: 16 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8276,7 +8276,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -8289,7 +8289,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8303,7 +8303,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8317,7 +8317,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -8334,7 +8334,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python sequence by host.id, process.entity_id @@ -8350,7 +8350,7 @@ sequence by host.id, process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python /* Network Logon followed by Scheduled Task creation */ @@ -8370,7 +8370,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8385,7 +8385,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -8404,7 +8404,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 11 Document count: 11 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8424,7 +8424,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-554 +Index: geneve-ut-0554 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -8466,7 +8466,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 8 Document count: 16 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python sequence with maxspan=1s @@ -8513,7 +8513,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8526,7 +8526,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 72 Document count: 216 -Index: geneve-ut-557 +Index: geneve-ut-0557 ```python sequence by host.id with maxspan = 5s @@ -8543,7 +8543,7 @@ sequence by host.id with maxspan = 5s Branch count: 24 Document count: 24 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python event.category:(network or network_traffic) and network.protocol:http and @@ -8589,7 +8589,7 @@ event.category:(network or network_traffic) and network.protocol:http and Branch count: 4 Document count: 4 -Index: geneve-ut-559 +Index: geneve-ut-0559 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -8608,7 +8608,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 18 Document count: 18 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and @@ -8653,7 +8653,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 4 Document count: 4 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26)) @@ -8665,7 +8665,7 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti Branch count: 8 Document count: 8 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python event.category:file and event.type:(change or creation) and @@ -8691,7 +8691,7 @@ event.category:file and event.type:(change or creation) and Branch count: 60 Document count: 120 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python sequence by host.id with maxspan = 30s @@ -8710,7 +8710,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 4 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python registry where host.os.type == "windows" and @@ -8726,7 +8726,7 @@ registry where host.os.type == "windows" and Branch count: 27 Document count: 27 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -8767,7 +8767,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-568 +Index: geneve-ut-0568 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -8801,7 +8801,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8815,7 +8815,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-570 +Index: geneve-ut-0570 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8829,7 +8829,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 58 Document count: 58 -Index: geneve-ut-571 +Index: geneve-ut-0571 ```python process where event.type == "start" and @@ -8875,7 +8875,7 @@ process.name : "grep" and user.id != "0" and Branch count: 135 Document count: 135 -Index: geneve-ut-572 +Index: geneve-ut-0572 ```python event.category:process and host.os.type:linux and event.type:start and @@ -8918,7 +8918,7 @@ event.category:process and host.os.type:linux and event.type:start and Branch count: 1 Document count: 1 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python event.action:"Authorization Policy Change" and host.os.type:windows and event.code:4704 and @@ -8931,7 +8931,7 @@ event.action:"Authorization Policy Change" and host.os.type:windows and event.co Branch count: 16 Document count: 32 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python sequence by process.entity_id with maxspan = 1m @@ -8948,7 +8948,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-575 +Index: geneve-ut-0575 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -8968,7 +8968,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-576 +Index: geneve-ut-0576 ```python sequence by winlog.computer_name with maxspan=5m @@ -8992,7 +8992,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 1 Document count: 1 -Index: geneve-ut-578 +Index: geneve-ut-0578 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -9004,7 +9004,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 6 Document count: 12 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python sequence by host.id with maxspan=5s @@ -9018,7 +9018,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-580 +Index: geneve-ut-0580 ```python process where host.os.type == "windows" and event.type == "start" @@ -9032,7 +9032,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 4 Document count: 4 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9046,7 +9046,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 28 Document count: 28 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python registry where host.os.type == "windows" and registry.path : ( @@ -9070,7 +9070,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 12 Document count: 24 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -9095,7 +9095,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-591 +Index: geneve-ut-0591 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -9128,7 +9128,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 120 Document count: 120 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python registry where host.os.type == "windows" and registry.data.strings != null and @@ -9173,7 +9173,7 @@ registry where host.os.type == "windows" and registry.data.strings != null and Branch count: 4 Document count: 4 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -9198,7 +9198,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 2 Document count: 2 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) @@ -9210,7 +9210,7 @@ event.category:file and event.type:change and file.path:(/etc/sudoers* or /priva Branch count: 16 Document count: 16 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9224,7 +9224,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python event.category:process and host.os.type:windows and @@ -9240,7 +9240,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -9252,7 +9252,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 2 Document count: 2 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python file where host.os.type == "windows" and event.action != "deletion" and file.path != null and @@ -9265,7 +9265,7 @@ file where host.os.type == "windows" and event.action != "deletion" and file.pat Branch count: 2 Document count: 4 -Index: geneve-ut-601 +Index: geneve-ut-0601 ```python sequence by host.id with maxspan=30s @@ -9279,7 +9279,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-602 +Index: geneve-ut-0602 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -9309,7 +9309,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -9333,7 +9333,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9347,7 +9347,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9370,7 +9370,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9384,7 +9384,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python file where host.os.type == "macos" and event.type != "deletion" and process.name != null and @@ -9397,7 +9397,7 @@ file where host.os.type == "macos" and event.type != "deletion" and process.name Branch count: 189 Document count: 189 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python any where host.os.type == "windows" and @@ -9425,7 +9425,7 @@ any where host.os.type == "windows" and Branch count: 44 Document count: 44 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -9461,7 +9461,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9480,7 +9480,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-612 +Index: geneve-ut-0612 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and @@ -9496,7 +9496,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 14 Document count: 14 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python process where host.os.type == "windows" and event.type : "start" and @@ -9516,7 +9516,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9540,7 +9540,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-617 +Index: geneve-ut-0617 ```python file where host.os.type == "linux" and event.type == "creation" and user.name == "root" and @@ -9555,7 +9555,7 @@ and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", Branch count: 2 Document count: 2 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9568,7 +9568,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 30 Document count: 30 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python any where host.os.type == "windows" and @@ -9583,7 +9583,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python registry where host.os.type == "windows" and registry.path : ( @@ -9600,7 +9600,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and @@ -9614,7 +9614,7 @@ process where host.os.type == "windows" and event.action == "start" and process. Branch count: 16 Document count: 16 -Index: geneve-ut-623 +Index: geneve-ut-0623 ```python process where event.type in ("start", "process_started") and @@ -9628,7 +9628,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9647,7 +9647,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 1 Document count: 1 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9677,7 +9677,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 456 Document count: 456 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9697,7 +9697,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 52 Document count: 52 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9718,7 +9718,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 64 Document count: 128 -Index: geneve-ut-628 +Index: geneve-ut-0628 ```python sequence by process.entity_id with maxspan=5m @@ -9741,7 +9741,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 14 Document count: 14 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python file where host.os.type == "linux" and event.type == "creation" and @@ -9755,7 +9755,7 @@ file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.servic Branch count: 2 Document count: 2 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and @@ -9831,7 +9831,7 @@ library where host.os.type == "windows" and process.executable : "?:\\Windows\\S Branch count: 1 Document count: 2 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python sequence by process.entity_id with maxspan=1m @@ -9847,7 +9847,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 212 Document count: 212 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9871,7 +9871,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python event.category:process and host.os.type:windows and @@ -9886,7 +9886,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python file where host.os.type == "windows" and event.type : "deletion" and @@ -9900,7 +9900,7 @@ file where host.os.type == "windows" and event.type : "deletion" and Branch count: 4 Document count: 8 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python sequence by host.id with maxspan=30s @@ -9924,7 +9924,7 @@ sequence by host.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -9957,7 +9957,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-640 +Index: geneve-ut-0640 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -9976,7 +9976,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9989,7 +9989,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-644 +Index: geneve-ut-0644 ```python any where host.os.type == "windows" and @@ -10017,7 +10017,7 @@ any where host.os.type == "windows" and Branch count: 1 Document count: 2 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m @@ -10035,7 +10035,7 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= Branch count: 2 Document count: 4 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python sequence by process.entity_id with maxspan=2m @@ -10069,7 +10069,7 @@ sequence by process.entity_id with maxspan=2m Branch count: 2 Document count: 2 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10094,7 +10094,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-648 +Index: geneve-ut-0648 ```python registry where host.os.type == "windows" and @@ -10124,7 +10124,7 @@ registry where host.os.type == "windows" and Branch count: 30 Document count: 30 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python any where host.os.type == "windows" and @@ -10139,7 +10139,7 @@ any where host.os.type == "windows" and Branch count: 48 Document count: 96 -Index: geneve-ut-650 +Index: geneve-ut-0650 ```python sequence by process.entity_id with maxspan = 2m @@ -10157,7 +10157,7 @@ sequence by process.entity_id with maxspan = 2m Branch count: 1 Document count: 1 -Index: geneve-ut-651 +Index: geneve-ut-0651 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10176,7 +10176,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10189,7 +10189,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 114 Document count: 114 -Index: geneve-ut-653 +Index: geneve-ut-0653 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -10235,7 +10235,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-655 +Index: geneve-ut-0655 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10267,7 +10267,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-656 +Index: geneve-ut-0656 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10283,7 +10283,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10296,7 +10296,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-658 +Index: geneve-ut-0658 ```python file where host.os.type == "linux" and event.type == "deletion" and @@ -10323,7 +10323,7 @@ file where host.os.type == "linux" and event.type == "deletion" and Branch count: 12 Document count: 12 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10340,7 +10340,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-660 +Index: geneve-ut-0660 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10357,7 +10357,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10374,7 +10374,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -10387,7 +10387,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and @@ -10400,7 +10400,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 90 Document count: 90 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python process where event.type in ("start", "process_started") and @@ -10423,7 +10423,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 2 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m @@ -10437,7 +10437,7 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python file where host.os.type == "windows" and event.type == "deletion" and @@ -10465,7 +10465,7 @@ file where host.os.type == "windows" and event.type == "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python event.dataset:okta.system and event.action:security.threat.detected @@ -10477,7 +10477,7 @@ event.dataset:okta.system and event.action:security.threat.detected Branch count: 4 Document count: 4 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python process where event.type == "start" and @@ -10492,7 +10492,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10509,7 +10509,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and @@ -10525,7 +10525,7 @@ file where host.os.type == "windows" and event.type : "change" and process.name Branch count: 2 Document count: 2 -Index: geneve-ut-673 +Index: geneve-ut-0673 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10538,7 +10538,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and @@ -10553,7 +10553,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 1 Document count: 1 -Index: geneve-ut-675 +Index: geneve-ut-0675 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10569,7 +10569,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10584,7 +10584,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10600,7 +10600,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-678 +Index: geneve-ut-0678 ```python event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt @@ -10612,7 +10612,7 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt Branch count: 1 Document count: 1 -Index: geneve-ut-680 +Index: geneve-ut-0680 ```python process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine" @@ -10624,7 +10624,7 @@ process where host.os.type == "macos" and event.type == "start" and process.pare Branch count: 1 Document count: 1 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -10638,7 +10638,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 1 Document count: 1 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10652,7 +10652,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and @@ -10665,7 +10665,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python sequence with maxspan=1h @@ -10683,7 +10683,7 @@ sequence with maxspan=1h Branch count: 18 Document count: 18 -Index: geneve-ut-691 +Index: geneve-ut-0691 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -10705,7 +10705,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 29 Document count: 29 -Index: geneve-ut-692 +Index: geneve-ut-0692 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -10768,7 +10768,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 6 Document count: 6 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and @@ -10782,7 +10782,7 @@ file where host.os.type == "windows" and process.name : "dns.exe" and event.type Branch count: 400 Document count: 800 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python sequence by process.entity_id with maxspan=5m @@ -10844,7 +10844,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 1 Document count: 2 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -10863,7 +10863,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 1 Document count: 2 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -10882,7 +10882,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 24 Document count: 24 -Index: geneve-ut-710 +Index: geneve-ut-0710 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10919,7 +10919,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 32 Document count: 32 -Index: geneve-ut-711 +Index: geneve-ut-0711 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10960,7 +10960,7 @@ process.parent.name != null and Branch count: 8 Document count: 8 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python registry where host.os.type == "windows" and @@ -10992,7 +10992,7 @@ registry where host.os.type == "windows" and Branch count: 32 Document count: 32 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11015,7 +11015,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11028,7 +11028,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 144 Document count: 288 -Index: geneve-ut-717 +Index: geneve-ut-0717 ```python sequence by process.entity_id @@ -11065,7 +11065,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11080,7 +11080,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-732 +Index: geneve-ut-0732 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success) @@ -11092,7 +11092,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a Branch count: 2 Document count: 2 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success) @@ -11104,7 +11104,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s Branch count: 8 Document count: 8 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python iam where host.os.type == "windows" and event.action == "added-member-to-group" and @@ -11124,7 +11124,7 @@ iam where host.os.type == "windows" and event.action == "added-member-to-group" Branch count: 1 Document count: 1 -Index: geneve-ut-735 +Index: geneve-ut-0735 ```python event.action:"Directory Service Changes" and host.os.type:windows and @@ -11138,7 +11138,7 @@ event.action:"Directory Service Changes" and host.os.type:windows and Branch count: 6 Document count: 6 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and @@ -11183,7 +11183,7 @@ event.category:(network or network_traffic) and network.transport:tcp and destin Branch count: 6 Document count: 6 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and @@ -11228,7 +11228,7 @@ event.category:(network or network_traffic) and network.transport:tcp and destin Branch count: 10 Document count: 10 -Index: geneve-ut-738 +Index: geneve-ut-0738 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -11246,7 +11246,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python process where event.type == "start" and @@ -11261,7 +11261,7 @@ process where event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-740 +Index: geneve-ut-0740 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -11278,7 +11278,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python process where host.os.type == "windows" and event.type == "start" @@ -11292,7 +11292,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 60 Document count: 60 -Index: geneve-ut-742 +Index: geneve-ut-0742 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11308,7 +11308,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11322,7 +11322,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-744 +Index: geneve-ut-0744 ```python sequence by host.id with maxspan = 2s @@ -11350,7 +11350,7 @@ sequence by host.id with maxspan = 2s Branch count: 1 Document count: 1 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python url.path:* @@ -11362,7 +11362,7 @@ url.path:* Branch count: 1 Document count: 1 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python http.response.status_code:403 and http.request.method:post @@ -11374,7 +11374,7 @@ http.response.status_code:403 and http.request.method:post Branch count: 1 Document count: 1 -Index: geneve-ut-747 +Index: geneve-ut-0747 ```python http.response.status_code:405 @@ -11386,7 +11386,7 @@ http.response.status_code:405 Branch count: 1 Document count: 1 -Index: geneve-ut-748 +Index: geneve-ut-0748 ```python user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" @@ -11398,7 +11398,7 @@ user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" Branch count: 42 Document count: 42 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11412,7 +11412,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-750 +Index: geneve-ut-0750 ```python event.category:process and host.os.type:macos and event.type:start and @@ -11428,7 +11428,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-751 +Index: geneve-ut-0751 ```python file where event.type == "deletion" and @@ -11445,7 +11445,7 @@ file where event.type == "deletion" and Branch count: 33 Document count: 33 -Index: geneve-ut-752 +Index: geneve-ut-0752 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "whoami.exe" and @@ -11474,7 +11474,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 24 Document count: 24 -Index: geneve-ut-754 +Index: geneve-ut-0754 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -11507,7 +11507,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 12 Document count: 12 -Index: geneve-ut-755 +Index: geneve-ut-0755 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11522,7 +11522,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-756 +Index: geneve-ut-0756 ```python event.action:("audit-log-cleared" or "Log clear") and host.os.type:windows @@ -11534,7 +11534,7 @@ event.action:("audit-log-cleared" or "Log clear") and host.os.type:windows Branch count: 16 Document count: 16 -Index: geneve-ut-757 +Index: geneve-ut-0757 ```python process where host.os.type == "windows" and event.action == "start" and @@ -11550,7 +11550,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11575,7 +11575,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -11590,7 +11590,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11603,7 +11603,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 216 Document count: 432 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python sequence by host.id with maxspan = 5s @@ -11643,7 +11643,7 @@ sequence by host.id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python event.action:"service-installed" and host.os.type:windows and @@ -11656,7 +11656,7 @@ event.action:"service-installed" and host.os.type:windows and Branch count: 2 Document count: 2 -Index: geneve-ut-763 +Index: geneve-ut-0763 ```python registry where host.os.type == "windows" and @@ -11671,7 +11671,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python process where host.os.type == "windows" and event.type : "start" and @@ -11685,7 +11685,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11699,7 +11699,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-766 +Index: geneve-ut-0766 ```python event.type:creation and event.module:zoom and event.dataset:zoom.webhook and diff --git a/tests/reports/alerts_from_rules-8.5.md b/tests/reports/alerts_from_rules-8.5.md index fbcace31..dbbdfc72 100644 --- a/tests/reports/alerts_from_rules-8.5.md +++ b/tests/reports/alerts_from_rules-8.5.md @@ -18,7 +18,7 @@ Rules version: 8.5.8 Branch count: 2 Document count: 2 -Index: geneve-ut-130 +Index: geneve-ut-0130 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -30,7 +30,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 4 Document count: 4 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -46,7 +46,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-334 +Index: geneve-ut-0334 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -59,7 +59,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -74,7 +74,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 160 Document count: 480 -Index: geneve-ut-478 +Index: geneve-ut-0478 Failure message(s): got 80 signals, expected 160 @@ -116,7 +116,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 1350 Document count: 1350 -Index: geneve-ut-500 +Index: geneve-ut-0500 Failure message(s): got 1000 signals, expected 1350 @@ -143,7 +143,7 @@ process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget" Branch count: 4608 Document count: 4608 -Index: geneve-ut-630 +Index: geneve-ut-0630 Failure message(s): got 1000 signals, expected 4608 @@ -196,7 +196,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -218,7 +218,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -239,7 +239,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 1 Document count: 1 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue @@ -251,7 +251,7 @@ event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-003 +Index: geneve-ut-0003 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -263,7 +263,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-0004 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success @@ -275,7 +275,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-0005 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -287,7 +287,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-0006 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -299,7 +299,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-0007 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -311,7 +311,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -323,7 +323,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -335,7 +335,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -350,7 +350,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -362,7 +362,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -375,7 +375,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -387,7 +387,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -401,7 +401,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -413,7 +413,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -425,7 +425,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -437,7 +437,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -449,7 +449,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-019 +Index: geneve-ut-0019 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -462,7 +462,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-020 +Index: geneve-ut-0020 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -475,7 +475,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-021 +Index: geneve-ut-0021 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -489,7 +489,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -502,7 +502,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success @@ -514,7 +514,7 @@ event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -526,7 +526,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-025 +Index: geneve-ut-0025 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -538,7 +538,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-027 +Index: geneve-ut-0027 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -550,7 +550,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -562,7 +562,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -574,7 +574,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -586,7 +586,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -598,7 +598,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -610,7 +610,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -622,7 +622,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -634,7 +634,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -646,7 +646,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -658,7 +658,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-038 +Index: geneve-ut-0038 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -670,7 +670,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-039 +Index: geneve-ut-0039 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -682,7 +682,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-040 +Index: geneve-ut-0040 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -694,7 +694,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and @@ -707,7 +707,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-042 +Index: geneve-ut-0042 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -719,7 +719,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-043 +Index: geneve-ut-0043 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -734,7 +734,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-044 +Index: geneve-ut-0044 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -746,7 +746,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-045 +Index: geneve-ut-0045 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -758,7 +758,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -771,7 +771,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -784,7 +784,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -797,7 +797,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -812,7 +812,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 4 Document count: 4 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or @@ -825,7 +825,7 @@ UpdateSAMLProvider) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -838,7 +838,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 6 Document count: 6 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or @@ -852,7 +852,7 @@ RevokeSecurityGroupIngress) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and @@ -865,7 +865,7 @@ aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event. Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -877,7 +877,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-055 +Index: geneve-ut-0055 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -889,7 +889,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -901,7 +901,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 1 Document count: 1 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python event.dataset: network_traffic.flow and event.type: connection @@ -916,7 +916,7 @@ event.dataset: network_traffic.flow and event.type: connection Branch count: 26 Document count: 26 -Index: geneve-ut-060 +Index: geneve-ut-0060 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -944,7 +944,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -982,7 +982,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python any where event.action == "Directory Service Access" and event.code == "4662" and @@ -1017,7 +1017,7 @@ any where event.action == "Directory Service Access" and event.code == "4662" an Branch count: 4 Document count: 4 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1033,7 +1033,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-065 +Index: geneve-ut-0065 ```python sequence by winlog.computer_name with maxspan=5m @@ -1060,7 +1060,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 36 Document count: 36 -Index: geneve-ut-066 +Index: geneve-ut-0066 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1080,7 +1080,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1097,7 +1097,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-068 +Index: geneve-ut-0068 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -1110,7 +1110,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 1 Document count: 1 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1122,7 +1122,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1134,7 +1134,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1149,7 +1149,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-073 +Index: geneve-ut-0073 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1161,7 +1161,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 1 Document count: 1 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.agent_id_status:agent_id_mismatch @@ -1173,7 +1173,7 @@ event.agent_id_status:agent_id_mismatch Branch count: 1 Document count: 2 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1192,7 +1192,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1205,7 +1205,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1217,7 +1217,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-083 +Index: geneve-ut-0083 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1232,7 +1232,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 1 Document count: 1 -Index: geneve-ut-084 +Index: geneve-ut-0084 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1244,7 +1244,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-085 +Index: geneve-ut-0085 ```python event.dataset:okta.system and event.action:user.mfa.factor.deactivate @@ -1256,7 +1256,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-086 +Index: geneve-ut-0086 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1268,7 +1268,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-087 +Index: geneve-ut-0087 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1280,7 +1280,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-088 +Index: geneve-ut-0088 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1292,7 +1292,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-089 +Index: geneve-ut-0089 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1304,7 +1304,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-090 +Index: geneve-ut-0090 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1316,7 +1316,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-091 +Index: geneve-ut-0091 ```python event.dataset:okta.system and event.action:zone.delete @@ -1328,7 +1328,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-092 +Index: geneve-ut-0092 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -1340,7 +1340,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-093 +Index: geneve-ut-0093 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -1352,7 +1352,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 2 Document count: 2 -Index: geneve-ut-094 +Index: geneve-ut-0094 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1365,7 +1365,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 17 Document count: 17 -Index: geneve-ut-095 +Index: geneve-ut-0095 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -1392,7 +1392,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -1408,7 +1408,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-097 +Index: geneve-ut-0097 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1421,7 +1421,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-098 +Index: geneve-ut-0098 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1440,7 +1440,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-099 +Index: geneve-ut-0099 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1455,7 +1455,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-100 +Index: geneve-ut-0100 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -1467,7 +1467,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-101 +Index: geneve-ut-0101 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -1479,7 +1479,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-102 +Index: geneve-ut-0102 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -1491,7 +1491,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -1503,7 +1503,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1522,7 +1522,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1540,7 +1540,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-106 +Index: geneve-ut-0106 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -1552,7 +1552,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-107 +Index: geneve-ut-0107 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -1564,7 +1564,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1577,7 +1577,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -1589,7 +1589,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 1 Document count: 1 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -1604,7 +1604,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-113 +Index: geneve-ut-0113 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -1618,7 +1618,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python event.dataset:azure.signinlogs and @@ -1632,7 +1632,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python event.dataset:azure.signinlogs and @@ -1645,7 +1645,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python event.dataset:azure.signinlogs and @@ -1659,7 +1659,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-117 +Index: geneve-ut-0117 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -1672,7 +1672,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -1684,7 +1684,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -1696,7 +1696,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python event.dataset:azure.activitylogs and @@ -1715,7 +1715,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.dataset:azure.activitylogs and @@ -1729,7 +1729,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-122 +Index: geneve-ut-0122 ```python event.dataset:azure.activitylogs and @@ -1747,7 +1747,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -1759,7 +1759,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -1774,7 +1774,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -1786,7 +1786,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -1799,7 +1799,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -1811,7 +1811,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-128 +Index: geneve-ut-0128 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -1823,7 +1823,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-129 +Index: geneve-ut-0129 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -1835,7 +1835,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-131 +Index: geneve-ut-0131 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -1847,7 +1847,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-132 +Index: geneve-ut-0132 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -1859,7 +1859,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-133 +Index: geneve-ut-0133 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -1877,7 +1877,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -1889,7 +1889,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -1902,7 +1902,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -1915,7 +1915,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-138 +Index: geneve-ut-0138 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -1930,7 +1930,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -1942,7 +1942,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -1954,7 +1954,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -1966,7 +1966,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -1978,7 +1978,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -1990,7 +1990,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2002,7 +2002,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2020,7 +2020,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" @@ -2032,7 +2032,7 @@ process where host.os.type == "linux" and event.type != "end" and process.execut Branch count: 8 Document count: 8 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -2045,7 +2045,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 9 Document count: 9 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.category:file and event.type:change and @@ -2080,7 +2080,7 @@ event.category:file and event.type:change and Branch count: 8 Document count: 8 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python process where host.os.type == "linux" and event.type == "start" and @@ -2100,7 +2100,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2118,7 +2118,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where host.os.type == "linux" and event.type == "start" and @@ -2134,7 +2134,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2150,7 +2150,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2172,7 +2172,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2186,7 +2186,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -2203,7 +2203,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 12 Document count: 12 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -2223,7 +2223,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python sequence by process.entity_id @@ -2243,7 +2243,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2260,7 +2260,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 56 Document count: 56 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python registry where host.os.type == "windows" and @@ -2312,7 +2312,7 @@ registry where host.os.type == "windows" and Branch count: 24 Document count: 24 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -2337,7 +2337,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python sequence by process.entity_id @@ -2357,7 +2357,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-165 +Index: geneve-ut-0165 ```python sequence by process.entity_id @@ -2377,7 +2377,7 @@ sequence by process.entity_id Branch count: 24 Document count: 24 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2403,7 +2403,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -2423,7 +2423,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -2436,7 +2436,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-170 +Index: geneve-ut-0170 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" @@ -2448,7 +2448,7 @@ file where host.os.type == "linux" and event.type == "creation" and file.extensi Branch count: 2 Document count: 2 -Index: geneve-ut-171 +Index: geneve-ut-0171 ```python registry where host.os.type == "windows" and registry.path : ( @@ -2463,7 +2463,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 2 Document count: 2 -Index: geneve-ut-172 +Index: geneve-ut-0172 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -2475,7 +2475,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 16 Document count: 16 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -2508,7 +2508,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 2 Document count: 2 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -2523,7 +2523,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2538,7 +2538,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2550,7 +2550,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2562,7 +2562,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2574,7 +2574,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2586,7 +2586,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -2598,7 +2598,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python event.dataset:cyberarkpas.audit and @@ -2613,7 +2613,7 @@ event.dataset:cyberarkpas.audit and Branch count: 4 Document count: 4 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -2631,7 +2631,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 3 Document count: 3 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python event.dataset: network_traffic.tls and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or @@ -2645,7 +2645,7 @@ event.dataset: network_traffic.tls and (tls.server.hash.md5:950098276A495286EB2A Branch count: 2 Document count: 2 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2659,7 +2659,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2673,7 +2673,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 8 -Index: geneve-ut-189 +Index: geneve-ut-0189 ```python sequence by process.entity_id @@ -2700,7 +2700,7 @@ sequence by process.entity_id Branch count: 12 Document count: 12 -Index: geneve-ut-190 +Index: geneve-ut-0190 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2722,7 +2722,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2739,7 +2739,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -2761,7 +2761,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2775,7 +2775,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -2787,7 +2787,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python event.category:process and host.os.type:macos and event.type:start and @@ -2800,7 +2800,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -2812,7 +2812,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 8 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python sequence by process.entity_id with maxspan=1m @@ -2827,7 +2827,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 3 Document count: 3 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python process where host.os.type == "linux" and event.type == "start" and process.name : "find" and @@ -2840,7 +2840,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 27 Document count: 27 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -2854,7 +2854,7 @@ process.args : ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", Branch count: 3 Document count: 3 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -2867,7 +2867,7 @@ process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/ Branch count: 2 Document count: 2 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -2879,7 +2879,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 199 Document count: 199 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python process where @@ -2907,7 +2907,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -2920,7 +2920,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2934,7 +2934,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python registry where host.os.type == "windows" and @@ -2948,7 +2948,7 @@ registry where host.os.type == "windows" and Branch count: 34 Document count: 34 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2972,7 +2972,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -2984,7 +2984,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 2 Document count: 2 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2998,7 +2998,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3014,7 +3014,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3052,7 +3052,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 64 Document count: 64 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3077,7 +3077,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3093,7 +3093,7 @@ process.group_leader.name : "qualys-cloud-agent" Branch count: 1 Document count: 1 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python file where host.os.type == "linux" and event.action == "opened-file" and @@ -3106,7 +3106,7 @@ file.path == "/proc/modules" and not process.parent.pid == 1 Branch count: 4 Document count: 4 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python iam where event.action == "user-member-enumerated" and @@ -3163,7 +3163,7 @@ iam where event.action == "user-member-enumerated" and Branch count: 46 Document count: 46 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -3193,7 +3193,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text : "New-MailboxExportRequest" @@ -3205,7 +3205,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 2 Document count: 2 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3224,7 +3224,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python sequence with maxspan=2h @@ -3247,7 +3247,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-221 +Index: geneve-ut-0221 ```python sequence with maxspan=2h @@ -3272,7 +3272,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -3301,7 +3301,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -3313,7 +3313,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3328,7 +3328,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -3340,7 +3340,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 4 Document count: 4 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where host.os.type == "windows" and event.type : "start" and @@ -3365,7 +3365,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -3377,7 +3377,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -3391,7 +3391,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-229 +Index: geneve-ut-0229 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3403,7 +3403,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3415,7 +3415,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-231 +Index: geneve-ut-0231 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3429,7 +3429,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -3441,7 +3441,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 19 Document count: 19 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3492,7 +3492,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 1 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python file where host.os.type == "windows" and event.code : "2" and @@ -3521,7 +3521,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 8 Document count: 8 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and @@ -3534,7 +3534,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 24 Document count: 24 -Index: geneve-ut-237 +Index: geneve-ut-0237 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -3549,7 +3549,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 375 Document count: 750 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python sequence by process.entity_id @@ -3576,7 +3576,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python process where host.os.type == "linux" and event.type == "start" and user.name == "root" and @@ -3590,7 +3590,7 @@ process where host.os.type == "linux" and event.type == "start" and user.name == Branch count: 2 Document count: 2 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -3616,7 +3616,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python event.dataset: google_workspace.alert @@ -3628,7 +3628,7 @@ event.dataset: google_workspace.alert Branch count: 4 Document count: 4 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" and @@ -3642,7 +3642,7 @@ registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Mi Branch count: 2 Document count: 2 -Index: geneve-ut-246 +Index: geneve-ut-0246 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -3654,7 +3654,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -3666,7 +3666,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -3678,7 +3678,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -3690,7 +3690,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -3702,7 +3702,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -3714,7 +3714,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -3726,7 +3726,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -3738,7 +3738,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -3750,7 +3750,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -3762,7 +3762,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -3774,7 +3774,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -3786,7 +3786,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -3798,7 +3798,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -3810,7 +3810,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -3822,7 +3822,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-261 +Index: geneve-ut-0261 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -3834,7 +3834,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -3846,7 +3846,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-263 +Index: geneve-ut-0263 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -3858,7 +3858,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -3870,7 +3870,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-265 +Index: geneve-ut-0265 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -3882,7 +3882,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -3894,7 +3894,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -3906,7 +3906,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-268 +Index: geneve-ut-0268 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -3918,7 +3918,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-269 +Index: geneve-ut-0269 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -3931,7 +3931,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -3943,7 +3943,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS @@ -3955,7 +3955,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -3968,7 +3968,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -3980,7 +3980,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -3993,7 +3993,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -4005,7 +4005,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-276 +Index: geneve-ut-0276 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -4018,7 +4018,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-277 +Index: geneve-ut-0277 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -4035,7 +4035,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -4049,7 +4049,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-279 +Index: geneve-ut-0279 ```python sequence by source.user.email with maxspan=3m @@ -4073,7 +4073,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-280 +Index: geneve-ut-0280 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -4094,7 +4094,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4108,7 +4108,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -4120,7 +4120,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -4132,7 +4132,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -4145,7 +4145,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4158,7 +4158,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python sequence by process.entity_id with maxspan=5m @@ -4175,7 +4175,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python any where @@ -4202,7 +4202,7 @@ any where Branch count: 6 Document count: 6 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3) @@ -4214,7 +4214,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4229,7 +4229,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python event.dataset: network_traffic.flow and network.transport:udp and destination.port:4500 @@ -4241,7 +4241,7 @@ event.dataset: network_traffic.flow and network.transport:udp and destination.po Branch count: 8 Document count: 8 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4258,7 +4258,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python sequence with maxspan=1m @@ -4277,7 +4277,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-300 +Index: geneve-ut-0300 ```python sequence by host.id with maxspan=1m @@ -4295,7 +4295,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python sequence by host.id with maxspan=5s @@ -4314,7 +4314,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-302 +Index: geneve-ut-0302 ```python sequence by host.id with maxspan = 30s @@ -4329,7 +4329,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-303 +Index: geneve-ut-0303 ```python sequence by host.id with maxspan=30s @@ -4345,7 +4345,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 4 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -4361,7 +4361,7 @@ sequence by process.entity_id Branch count: 4 Document count: 8 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python sequence by process.entity_id with maxspan = 5m @@ -4377,7 +4377,7 @@ sequence by process.entity_id with maxspan = 5m Branch count: 4 Document count: 4 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python registry where host.os.type == "windows" and @@ -4396,7 +4396,7 @@ registry where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-308 +Index: geneve-ut-0308 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -4409,7 +4409,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 2 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python sequence with maxspan=1m @@ -4425,7 +4425,7 @@ sequence with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python event.action:modified-user-account and event.code:4738 and @@ -4438,7 +4438,7 @@ event.action:modified-user-account and event.code:4738 and Branch count: 2 Document count: 2 -Index: geneve-ut-311 +Index: geneve-ut-0311 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4452,7 +4452,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python network where host.os.type == "windows" and event.type == "start" and network.direction : ("outgoing", "egress") and @@ -4500,7 +4500,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 3 Document count: 3 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python process where host.os.type == "linux" and event.action == "exec" and process.name == "rmmod" or @@ -4513,7 +4513,7 @@ process where host.os.type == "linux" and event.action == "exec" and process.nam Branch count: 1 Document count: 1 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python process where host.os.type == "linux" and event.type == "start" and @@ -4526,7 +4526,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python process where host.os.type == "macos" and event.type == "start" and @@ -4541,7 +4541,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-317 +Index: geneve-ut-0317 ```python event.dataset:kubernetes.audit_logs @@ -4556,7 +4556,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-319 +Index: geneve-ut-0319 ```python event.dataset: "kubernetes.audit_logs" @@ -4570,7 +4570,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python event.dataset : "kubernetes.audit_logs" @@ -4586,7 +4586,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python event.dataset : "kubernetes.audit_logs" @@ -4603,7 +4603,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python event.dataset : "kubernetes.audit_logs" @@ -4620,7 +4620,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python event.dataset : "kubernetes.audit_logs" @@ -4637,7 +4637,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python event.dataset : "kubernetes.audit_logs" @@ -4670,7 +4670,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python event.dataset : "kubernetes.audit_logs" @@ -4687,7 +4687,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.dataset : "kubernetes.audit_logs" @@ -4704,7 +4704,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python event.dataset : "kubernetes.audit_logs" @@ -4721,7 +4721,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.dataset : "kubernetes.audit_logs" @@ -4737,7 +4737,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python file where host.os.type == "windows" and file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdmp", "Coredump.dmp") and @@ -4756,7 +4756,7 @@ file where host.os.type == "windows" and file.name : ("lsass*.dmp", "dumpert.dmp Branch count: 18 Document count: 18 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python any where event.action == "File System" and event.code == "4656" and @@ -4790,7 +4790,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 8 Document count: 8 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -4808,7 +4808,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-332 +Index: geneve-ut-0332 ```python sequence by host.id with maxspan=1m @@ -4824,7 +4824,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-333 +Index: geneve-ut-0333 ```python sequence by host.id with maxspan=1m @@ -4838,7 +4838,7 @@ sequence by host.id with maxspan=1m Branch count: 99 Document count: 99 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python process where host.os.type == "linux" and event.type == "start" and @@ -4884,7 +4884,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 60 Document count: 60 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python process where host.os.type == "linux" and event.type == "start" and @@ -4904,7 +4904,7 @@ process.args in ("root", "admin", "wheel", "staff", "sudo", Branch count: 4 Document count: 4 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python registry where host.os.type == "windows" and registry.path : ( @@ -4919,7 +4919,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 600 Document count: 1200 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python sequence with maxspan=1m @@ -4944,7 +4944,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-340 +Index: geneve-ut-0340 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -4956,7 +4956,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 96 Document count: 96 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -4980,7 +4980,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 48 Document count: 96 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python sequence by host.id, user.id with maxspan=30s @@ -4994,7 +4994,7 @@ sequence by host.id, user.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -5006,7 +5006,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -5018,7 +5018,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -5030,7 +5030,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-347 +Index: geneve-ut-0347 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -5042,7 +5042,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -5054,7 +5054,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-349 +Index: geneve-ut-0349 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -5066,7 +5066,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-350 +Index: geneve-ut-0350 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -5078,7 +5078,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-351 +Index: geneve-ut-0351 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -5090,7 +5090,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-352 +Index: geneve-ut-0352 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -5102,7 +5102,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-353 +Index: geneve-ut-0353 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -5114,7 +5114,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-354 +Index: geneve-ut-0354 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -5126,7 +5126,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-355 +Index: geneve-ut-0355 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -5138,7 +5138,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-356 +Index: geneve-ut-0356 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -5150,7 +5150,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-357 +Index: geneve-ut-0357 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -5163,7 +5163,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-358 +Index: geneve-ut-0358 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -5182,7 +5182,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-359 +Index: geneve-ut-0359 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -5194,7 +5194,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-360 +Index: geneve-ut-0360 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -5209,7 +5209,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-361 +Index: geneve-ut-0361 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -5223,7 +5223,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-362 +Index: geneve-ut-0362 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -5237,7 +5237,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-363 +Index: geneve-ut-0363 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -5249,7 +5249,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-364 +Index: geneve-ut-0364 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -5261,7 +5261,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 3 Document count: 3 -Index: geneve-ut-365 +Index: geneve-ut-0365 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5275,7 +5275,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-366 +Index: geneve-ut-0366 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5289,7 +5289,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-367 +Index: geneve-ut-0367 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5303,7 +5303,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-368 +Index: geneve-ut-0368 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5324,7 +5324,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5338,7 +5338,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5357,7 +5357,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -5382,7 +5382,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 8 Document count: 8 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5397,7 +5397,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5411,7 +5411,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5425,7 +5425,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 30 Document count: 30 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5465,7 +5465,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 1 Document count: 1 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -5477,7 +5477,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 12 Document count: 12 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5495,7 +5495,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 4 Document count: 4 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5512,7 +5512,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload @@ -5524,7 +5524,7 @@ event.category:file and host.os.type:linux and not event.type:deletion and file. Branch count: 1 Document count: 1 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python event.category:process and host.os.type:macos and event.type:start and @@ -5549,7 +5549,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python event.category:file and host.os.type:linux and event.type:change and @@ -5567,7 +5567,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python event.category:process and host.os.type:macos and event.type:start and @@ -5589,7 +5589,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 4 Document count: 4 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python event.category:file and event.type:change and @@ -5629,7 +5629,7 @@ event.category:file and event.type:change and Branch count: 16 Document count: 16 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -5646,7 +5646,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 1 Document count: 1 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -5660,7 +5660,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 2 Document count: 2 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -5672,7 +5672,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 12 Document count: 12 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5691,7 +5691,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python sequence by process.entity_id @@ -5706,7 +5706,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python sequence by process.entity_id with maxspan=10m @@ -5724,7 +5724,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -5736,7 +5736,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -5761,7 +5761,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -5787,7 +5787,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 4 Document count: 8 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -5809,7 +5809,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 84 Document count: 84 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5828,7 +5828,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -5843,7 +5843,7 @@ not process.args : "/usr/bin/snap" Branch count: 1 Document count: 2 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python sequence by process.entity_id @@ -5863,7 +5863,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python sequence by process.entity_id @@ -5882,7 +5882,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python sequence by process.entity_id @@ -5901,7 +5901,7 @@ sequence by process.entity_id Branch count: 18 Document count: 36 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python sequence by process.entity_id @@ -5926,7 +5926,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python sequence by process.entity_id @@ -5948,7 +5948,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python registry where host.os.type == "windows" and registry.data.strings != null and @@ -5971,7 +5971,7 @@ registry where host.os.type == "windows" and registry.data.strings != null and Branch count: 3 Document count: 3 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5984,7 +5984,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -5998,7 +5998,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping @@ -6010,7 +6010,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -6022,7 +6022,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -6036,7 +6036,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -6048,7 +6048,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 2 Document count: 2 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -6060,7 +6060,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -6072,7 +6072,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -6084,7 +6084,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 36 Document count: 72 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -6099,7 +6099,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6113,7 +6113,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -6125,7 +6125,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -6137,7 +6137,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-422 +Index: geneve-ut-0422 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6155,7 +6155,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -6168,7 +6168,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-424 +Index: geneve-ut-0424 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -6182,7 +6182,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 66 Document count: 132 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python sequence by host.id with maxspan=5s @@ -6198,7 +6198,7 @@ sequence by host.id with maxspan=5s Branch count: 12 Document count: 12 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python /* Registry Path ends with backslash */ @@ -6223,7 +6223,7 @@ registry where host.os.type == "windows" and /* length(registry.data.strings) > Branch count: 32 Document count: 32 -Index: geneve-ut-427 +Index: geneve-ut-0427 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -6248,7 +6248,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-428 +Index: geneve-ut-0428 ```python process where host.os.type == "macos" and event.type == "start" and @@ -6268,7 +6268,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-429 +Index: geneve-ut-0429 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6287,7 +6287,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-430 +Index: geneve-ut-0430 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6300,7 +6300,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-431 +Index: geneve-ut-0431 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6316,7 +6316,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-432 +Index: geneve-ut-0432 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6329,7 +6329,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-433 +Index: geneve-ut-0433 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6348,7 +6348,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-434 +Index: geneve-ut-0434 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6376,7 +6376,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6391,7 +6391,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python registry where host.os.type == "windows" and @@ -6454,7 +6454,7 @@ registry where host.os.type == "windows" and Branch count: 7 Document count: 7 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and @@ -6477,7 +6477,7 @@ file where host.os.type == "windows" and event.type != "deletion" and user.domai Branch count: 2 Document count: 2 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python registry where host.os.type == "windows" and registry.path : ( @@ -6492,7 +6492,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -6510,7 +6510,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-441 +Index: geneve-ut-0441 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -6522,7 +6522,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 1 Document count: 3 -Index: geneve-ut-442 +Index: geneve-ut-0442 ```python sequence by user.email with maxspan=10m @@ -6537,7 +6537,7 @@ sequence by user.email with maxspan=10m Branch count: 16 Document count: 16 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -6550,7 +6550,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -6564,7 +6564,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 2 Document count: 6 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python sequence by host.id, user.name with maxspan = 5s @@ -6593,7 +6593,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 63 Document count: 63 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python process where event.type in ("start", "process_started", "info") and @@ -6617,7 +6617,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 6 Document count: 6 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python any where event.action == "Directory Service Access" and @@ -6649,7 +6649,7 @@ any where event.action == "Directory Service Access" and Branch count: 1 Document count: 1 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python process where host.os.type == "windows" and event.code == "10" and @@ -6667,7 +6667,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python process where host.os.type == "windows" and event.code == "10" and @@ -6686,7 +6686,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 4 -Index: geneve-ut-451 +Index: geneve-ut-0451 ```python sequence by process.entity_id with maxspan=1m @@ -6704,7 +6704,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python sequence by process.entity_id @@ -6719,7 +6719,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6740,7 +6740,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6761,7 +6761,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined) @@ -6773,7 +6773,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-458 +Index: geneve-ut-0458 ```python process where event.action == "exec" and process.parent.name =="proot" and host.os.type == "linux" @@ -6785,7 +6785,7 @@ process where event.action == "exec" and process.parent.name =="proot" and host Branch count: 2 Document count: 2 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0 @@ -6797,7 +6797,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6810,7 +6810,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6823,7 +6823,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 24 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python sequence by host.id, source.ip, user.name with maxspan=5s @@ -6842,7 +6842,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s Branch count: 6 Document count: 6 -Index: geneve-ut-463 +Index: geneve-ut-0463 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -6855,7 +6855,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python process where process.name=="mount" and event.action =="exec" and @@ -6869,7 +6869,7 @@ process where process.name=="mount" and event.action =="exec" and Branch count: 8 Document count: 24 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python sequence by host.id, source.ip, user.name with maxspan=5s @@ -6888,7 +6888,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s Branch count: 60 Document count: 120 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python sequence by host.id with maxspan=1m @@ -6924,7 +6924,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python event.category:process and host.os.type:macos and event.type:start and @@ -6937,7 +6937,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -6955,7 +6955,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -6969,7 +6969,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 16 Document count: 32 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python sequence by host.id with maxspan=30s @@ -6987,7 +6987,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-473 +Index: geneve-ut-0473 ```python process where host.os.type == "linux" and event.type == "start" and @@ -7001,7 +7001,7 @@ process.args : "-u" and process.args : "0" and process.args : "-o" Branch count: 3 Document count: 6 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python sequence by process.parent.name,host.name with maxspan=1m @@ -7018,7 +7018,7 @@ sequence by process.parent.name,host.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python process where host.os.type == "linux" and process.name == "unshadow" and @@ -7031,7 +7031,7 @@ process where host.os.type == "linux" and process.name == "unshadow" and Branch count: 6 Document count: 6 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7050,7 +7050,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -7062,7 +7062,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7102,7 +7102,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python sequence by process.entity_id with maxspan=1m @@ -7121,7 +7121,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -7161,7 +7161,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 1 Document count: 1 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -7174,7 +7174,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -7189,7 +7189,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -7202,7 +7202,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -7219,7 +7219,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 8 Document count: 8 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -7239,7 +7239,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 225 Document count: 225 -Index: geneve-ut-490 +Index: geneve-ut-0490 ```python event.category:process and host.os.type:windows and @@ -7366,7 +7366,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -7382,7 +7382,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -7396,7 +7396,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 8 Document count: 8 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python /* This rule is compatible with both Sysmon and Elastic Endpoint */ @@ -7419,7 +7419,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -7431,7 +7431,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 1 Document count: 1 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -7443,7 +7443,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python iam where event.action == "renamed-user-account" and @@ -7457,7 +7457,7 @@ iam where event.action == "renamed-user-account" and Branch count: 1 Document count: 2 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python sequence with maxspan=5s @@ -7477,7 +7477,7 @@ sequence with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python process where host.os.type == "linux" and event.type == "start" and @@ -7490,7 +7490,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-501 +Index: geneve-ut-0501 ```python sequence by host.id, user.id with maxspan=1m @@ -7514,7 +7514,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 5 Document count: 5 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python /* Identifies the modification of RDP Shadow registry or @@ -7541,7 +7541,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7556,7 +7556,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 80 Document count: 80 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python process where event.type in ("start", "process_started") and @@ -7575,7 +7575,7 @@ process where event.type in ("start", "process_started") and Branch count: 64 Document count: 192 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python sequence by host.id, source.ip with maxspan=10s @@ -7590,7 +7590,7 @@ sequence by host.id, source.ip with maxspan=10s Branch count: 8 Document count: 24 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python sequence by host.id, source.ip, user.name with maxspan=3s @@ -7607,7 +7607,7 @@ sequence by host.id, source.ip, user.name with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-507 +Index: geneve-ut-0507 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -7619,7 +7619,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 1 Document count: 1 -Index: geneve-ut-508 +Index: geneve-ut-0508 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -7633,7 +7633,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 8 Document count: 8 -Index: geneve-ut-509 +Index: geneve-ut-0509 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "root" @@ -7672,7 +7672,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 32 Document count: 96 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -7700,7 +7700,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 16 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -7716,7 +7716,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 7 Document count: 7 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python event.category:process and host.os.type:windows and @@ -7738,7 +7738,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-514 +Index: geneve-ut-0514 ```python event.category:process and host.os.type:windows and @@ -7753,7 +7753,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python event.category:process and host.os.type:windows and @@ -7776,7 +7776,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -7788,7 +7788,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python event.category:process and host.os.type:windows and @@ -7811,7 +7811,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7827,7 +7827,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 48 Document count: 48 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python event.category:process and host.os.type:windows and @@ -7867,7 +7867,7 @@ event.category:process and host.os.type:windows and Branch count: 2 Document count: 2 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7881,7 +7881,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -7895,7 +7895,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-530 +Index: geneve-ut-0530 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -7908,7 +7908,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 4 Document count: 4 -Index: geneve-ut-531 +Index: geneve-ut-0531 ```python registry where host.os.type == "windows" and registry.path : ( @@ -7926,7 +7926,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -7943,7 +7943,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7957,7 +7957,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 96 Document count: 96 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -8032,7 +8032,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python sequence by winlog.computer_name with maxspan=1m @@ -8053,7 +8053,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 66 Document count: 66 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8091,7 +8091,7 @@ process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Wind Branch count: 2 Document count: 2 -Index: geneve-ut-538 +Index: geneve-ut-0538 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -8103,7 +8103,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-539 +Index: geneve-ut-0539 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -8115,7 +8115,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" @@ -8127,7 +8127,7 @@ process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemote Branch count: 3 Document count: 6 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python sequence by host.id with maxspan=5s @@ -8151,7 +8151,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8165,7 +8165,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -8178,7 +8178,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 2 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python sequence by process.entity_id @@ -8202,7 +8202,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python sequence by user.id, host.id with maxspan=15s @@ -8221,7 +8221,7 @@ sequence by user.id, host.id with maxspan=15s Branch count: 16 Document count: 16 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -8240,7 +8240,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 2 Document count: 2 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -8252,7 +8252,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -8264,7 +8264,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python registry where host.os.type == "windows" and @@ -8281,7 +8281,7 @@ registry where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python registry where host.os.type == "windows" and @@ -8303,7 +8303,7 @@ registry where host.os.type == "windows" and Branch count: 18 Document count: 18 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8318,7 +8318,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-559 +Index: geneve-ut-0559 ```python sequence with maxspan=1m @@ -8332,7 +8332,7 @@ sequence with maxspan=1m Branch count: 16 Document count: 16 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8346,7 +8346,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -8359,7 +8359,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8373,7 +8373,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8387,7 +8387,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -8404,7 +8404,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python sequence by host.id, process.entity_id @@ -8420,7 +8420,7 @@ sequence by host.id, process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python /* Network Logon followed by Scheduled Task creation */ @@ -8440,7 +8440,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8455,7 +8455,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-568 +Index: geneve-ut-0568 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -8474,7 +8474,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 12 Document count: 12 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8495,7 +8495,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-570 +Index: geneve-ut-0570 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -8537,7 +8537,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 8 Document count: 16 -Index: geneve-ut-571 +Index: geneve-ut-0571 ```python sequence with maxspan=1s @@ -8584,7 +8584,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-572 +Index: geneve-ut-0572 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8597,7 +8597,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 72 Document count: 216 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python sequence by host.id with maxspan = 5s @@ -8614,7 +8614,7 @@ sequence by host.id with maxspan = 5s Branch count: 24 Document count: 24 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python event.dataset: (network_traffic.http or network_traffic.tls) and @@ -8660,7 +8660,7 @@ event.dataset: (network_traffic.http or network_traffic.tls) and Branch count: 4 Document count: 4 -Index: geneve-ut-575 +Index: geneve-ut-0575 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -8679,7 +8679,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 8 Document count: 8 -Index: geneve-ut-578 +Index: geneve-ut-0578 ```python event.category:file and event.type:(change or creation) and @@ -8705,7 +8705,7 @@ event.category:file and event.type:(change or creation) and Branch count: 60 Document count: 120 -Index: geneve-ut-580 +Index: geneve-ut-0580 ```python sequence by host.id with maxspan = 30s @@ -8724,7 +8724,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 4 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python registry where host.os.type == "windows" and @@ -8740,7 +8740,7 @@ registry where host.os.type == "windows" and Branch count: 27 Document count: 27 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -8781,7 +8781,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -8815,7 +8815,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8829,7 +8829,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8843,7 +8843,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 58 Document count: 58 -Index: geneve-ut-587 +Index: geneve-ut-0587 ```python process where event.type == "start" and @@ -8889,7 +8889,7 @@ process.name : "grep" and user.id != "0" and Branch count: 135 Document count: 135 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python event.category:process and host.os.type:linux and event.type:start and @@ -8932,7 +8932,7 @@ event.category:process and host.os.type:linux and event.type:start and Branch count: 1 Document count: 1 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -8945,7 +8945,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 16 Document count: 32 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by process.entity_id with maxspan = 1m @@ -8962,7 +8962,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-591 +Index: geneve-ut-0591 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -8982,7 +8982,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python sequence by winlog.computer_name with maxspan=5m @@ -9006,7 +9006,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 1 Document count: 1 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -9018,7 +9018,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 6 Document count: 12 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python sequence by host.id with maxspan=5s @@ -9032,7 +9032,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python process where host.os.type == "windows" and event.type == "start" @@ -9046,7 +9046,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 4 Document count: 4 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9060,7 +9060,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 28 Document count: 28 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python registry where host.os.type == "windows" and registry.path : ( @@ -9084,7 +9084,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 12 Document count: 24 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -9109,7 +9109,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -9142,7 +9142,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -9167,7 +9167,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 2 Document count: 2 -Index: geneve-ut-612 +Index: geneve-ut-0612 ```python event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) @@ -9179,7 +9179,7 @@ event.category:file and event.type:change and file.path:(/etc/sudoers* or /priva Branch count: 16 Document count: 16 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9193,7 +9193,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-614 +Index: geneve-ut-0614 ```python event.category:process and host.os.type:windows and @@ -9209,7 +9209,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -9221,7 +9221,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 2 Document count: 2 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python file where host.os.type == "windows" and event.action != "deletion" and file.path != null and @@ -9234,7 +9234,7 @@ file where host.os.type == "windows" and event.action != "deletion" and file.pat Branch count: 2 Document count: 4 -Index: geneve-ut-617 +Index: geneve-ut-0617 ```python sequence by host.id with maxspan=30s @@ -9248,7 +9248,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-618 +Index: geneve-ut-0618 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -9278,7 +9278,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -9302,7 +9302,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9316,7 +9316,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9339,7 +9339,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9353,7 +9353,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-623 +Index: geneve-ut-0623 ```python file where host.os.type == "macos" and event.type != "deletion" and process.name != null and @@ -9366,7 +9366,7 @@ file where host.os.type == "macos" and event.type != "deletion" and process.name Branch count: 189 Document count: 189 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python any where host.os.type == "windows" and @@ -9394,7 +9394,7 @@ any where host.os.type == "windows" and Branch count: 44 Document count: 44 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -9430,7 +9430,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9449,7 +9449,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-628 +Index: geneve-ut-0628 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and @@ -9465,7 +9465,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 14 Document count: 14 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python process where host.os.type == "windows" and event.type : "start" and @@ -9485,7 +9485,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9509,7 +9509,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python file where host.os.type == "linux" and event.type == "creation" and user.name == "root" and @@ -9524,7 +9524,7 @@ and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", Branch count: 2 Document count: 2 -Index: geneve-ut-636 +Index: geneve-ut-0636 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9537,7 +9537,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 30 Document count: 30 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python any where host.os.type == "windows" and @@ -9552,7 +9552,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python registry where host.os.type == "windows" and registry.path : ( @@ -9569,7 +9569,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and @@ -9583,7 +9583,7 @@ process where host.os.type == "windows" and event.action == "start" and process. Branch count: 16 Document count: 16 -Index: geneve-ut-640 +Index: geneve-ut-0640 ```python process where event.type in ("start", "process_started") and @@ -9597,7 +9597,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9616,7 +9616,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 1 Document count: 1 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9646,7 +9646,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 456 Document count: 456 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9666,7 +9666,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 52 Document count: 52 -Index: geneve-ut-644 +Index: geneve-ut-0644 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9687,7 +9687,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 64 Document count: 128 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python sequence by process.entity_id with maxspan=5m @@ -9710,7 +9710,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 14 Document count: 14 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python file where host.os.type == "linux" and event.type == "creation" and @@ -9724,7 +9724,7 @@ file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.servic Branch count: 2 Document count: 2 -Index: geneve-ut-648 +Index: geneve-ut-0648 ```python library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and @@ -9800,7 +9800,7 @@ library where host.os.type == "windows" and process.executable : "?:\\Windows\\S Branch count: 1 Document count: 2 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python sequence by process.entity_id with maxspan=1m @@ -9816,7 +9816,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 212 Document count: 212 -Index: geneve-ut-650 +Index: geneve-ut-0650 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9840,7 +9840,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-651 +Index: geneve-ut-0651 ```python event.category:process and host.os.type:windows and @@ -9855,7 +9855,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-654 +Index: geneve-ut-0654 ```python file where host.os.type == "windows" and event.type : "deletion" and @@ -9869,7 +9869,7 @@ file where host.os.type == "windows" and event.type : "deletion" and Branch count: 4 Document count: 8 -Index: geneve-ut-655 +Index: geneve-ut-0655 ```python sequence by host.id with maxspan=30s @@ -9893,7 +9893,7 @@ sequence by host.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-656 +Index: geneve-ut-0656 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -9926,7 +9926,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -9945,7 +9945,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-660 +Index: geneve-ut-0660 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9958,7 +9958,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python process where host.os.type == "linux" and @@ -9973,7 +9973,7 @@ process.executable : ("*sh", "python*", "perl", "php*") Branch count: 48 Document count: 48 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python any where host.os.type == "windows" and @@ -10001,7 +10001,7 @@ any where host.os.type == "windows" and Branch count: 1 Document count: 2 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m @@ -10019,7 +10019,7 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= Branch count: 9 Document count: 9 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python file where host.os.type == "linux" and event.action == "rename" and @@ -10033,7 +10033,7 @@ and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", Branch count: 1 Document count: 1 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and @@ -10046,7 +10046,7 @@ file.Ext.original.path : "/usr/lib/vmware/*" Branch count: 2 Document count: 4 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python sequence by process.entity_id with maxspan=2m @@ -10080,7 +10080,7 @@ sequence by process.entity_id with maxspan=2m Branch count: 2 Document count: 2 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10105,7 +10105,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python registry where host.os.type == "windows" and @@ -10135,7 +10135,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python process where host.os.type == "linux" and event.type == "end" and process.name : ("vmware-vmx", "vmx") @@ -10148,7 +10148,7 @@ and process.parent.name : "kill" Branch count: 30 Document count: 30 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python any where host.os.type == "windows" and @@ -10163,7 +10163,7 @@ any where host.os.type == "windows" and Branch count: 48 Document count: 96 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python sequence by process.entity_id with maxspan = 2m @@ -10181,7 +10181,7 @@ sequence by process.entity_id with maxspan = 2m Branch count: 1 Document count: 1 -Index: geneve-ut-673 +Index: geneve-ut-0673 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10200,7 +10200,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10213,7 +10213,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 114 Document count: 114 -Index: geneve-ut-675 +Index: geneve-ut-0675 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -10259,7 +10259,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10291,7 +10291,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10307,7 +10307,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-678 +Index: geneve-ut-0678 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10321,7 +10321,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-679 +Index: geneve-ut-0679 ```python file where host.os.type == "linux" and event.type == "deletion" and @@ -10348,7 +10348,7 @@ file where host.os.type == "linux" and event.type == "deletion" and Branch count: 12 Document count: 12 -Index: geneve-ut-680 +Index: geneve-ut-0680 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10365,7 +10365,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-681 +Index: geneve-ut-0681 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10382,7 +10382,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-682 +Index: geneve-ut-0682 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10399,7 +10399,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -10412,7 +10412,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-684 +Index: geneve-ut-0684 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and @@ -10425,7 +10425,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 90 Document count: 90 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python process where event.type in ("start", "process_started") and @@ -10448,7 +10448,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 2 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m @@ -10462,7 +10462,7 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python file where host.os.type == "windows" and event.type == "deletion" and @@ -10490,7 +10490,7 @@ file where host.os.type == "windows" and event.type == "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-692 +Index: geneve-ut-0692 ```python process where event.type == "start" and @@ -10505,7 +10505,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10522,7 +10522,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-694 +Index: geneve-ut-0694 ```python file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and @@ -10538,7 +10538,7 @@ file where host.os.type == "windows" and event.type : "change" and process.name Branch count: 2 Document count: 2 -Index: geneve-ut-695 +Index: geneve-ut-0695 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10551,7 +10551,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and @@ -10566,7 +10566,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 1 Document count: 1 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10582,7 +10582,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-698 +Index: geneve-ut-0698 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10597,7 +10597,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10613,7 +10613,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-700 +Index: geneve-ut-0700 ```python event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt @@ -10625,7 +10625,7 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt Branch count: 1 Document count: 1 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine" @@ -10637,7 +10637,7 @@ process where host.os.type == "macos" and event.type == "start" and process.pare Branch count: 1 Document count: 1 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -10651,7 +10651,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 1 Document count: 1 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10665,7 +10665,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and @@ -10678,7 +10678,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-709 +Index: geneve-ut-0709 ```python sequence with maxspan=1h @@ -10696,7 +10696,7 @@ sequence with maxspan=1h Branch count: 18 Document count: 18 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -10718,7 +10718,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 29 Document count: 29 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -10783,7 +10783,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 6 Document count: 6 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and @@ -10797,7 +10797,7 @@ file where host.os.type == "windows" and process.name : "dns.exe" and event.type Branch count: 400 Document count: 800 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python sequence by process.entity_id with maxspan=5m @@ -10859,7 +10859,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 1 Document count: 2 -Index: geneve-ut-729 +Index: geneve-ut-0729 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -10878,7 +10878,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 1 Document count: 2 -Index: geneve-ut-730 +Index: geneve-ut-0730 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -10897,7 +10897,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 24 Document count: 24 -Index: geneve-ut-732 +Index: geneve-ut-0732 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10934,7 +10934,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 32 Document count: 32 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10975,7 +10975,7 @@ process.parent.name != null and Branch count: 8 Document count: 8 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python registry where host.os.type == "windows" and @@ -11007,7 +11007,7 @@ registry where host.os.type == "windows" and Branch count: 32 Document count: 32 -Index: geneve-ut-735 +Index: geneve-ut-0735 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11030,7 +11030,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11043,7 +11043,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 144 Document count: 288 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python sequence by process.entity_id @@ -11080,7 +11080,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-753 +Index: geneve-ut-0753 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11095,7 +11095,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-754 +Index: geneve-ut-0754 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success) @@ -11107,7 +11107,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a Branch count: 2 Document count: 2 -Index: geneve-ut-755 +Index: geneve-ut-0755 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success) @@ -11119,7 +11119,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s Branch count: 8 Document count: 8 -Index: geneve-ut-756 +Index: geneve-ut-0756 ```python iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and @@ -11139,7 +11139,7 @@ iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" a Branch count: 1 Document count: 1 -Index: geneve-ut-757 +Index: geneve-ut-0757 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -11153,7 +11153,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 3 Document count: 3 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and @@ -11198,7 +11198,7 @@ event.dataset: network_traffic.flow and network.transport:tcp and destination.po Branch count: 3 Document count: 3 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and @@ -11243,7 +11243,7 @@ event.dataset: network_traffic.flow and network.transport:tcp and destination.po Branch count: 10 Document count: 10 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -11261,7 +11261,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python process where event.type == "start" and @@ -11276,7 +11276,7 @@ process where event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -11293,7 +11293,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-763 +Index: geneve-ut-0763 ```python process where host.os.type == "windows" and event.type == "start" @@ -11307,7 +11307,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 60 Document count: 60 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11323,7 +11323,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11337,7 +11337,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-766 +Index: geneve-ut-0766 ```python sequence by host.id with maxspan = 2s @@ -11365,7 +11365,7 @@ sequence by host.id with maxspan = 2s Branch count: 1 Document count: 1 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python http.response.status_code:403 and http.request.method:post @@ -11377,7 +11377,7 @@ http.response.status_code:403 and http.request.method:post Branch count: 1 Document count: 1 -Index: geneve-ut-768 +Index: geneve-ut-0768 ```python http.response.status_code:405 @@ -11389,7 +11389,7 @@ http.response.status_code:405 Branch count: 1 Document count: 1 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" @@ -11401,7 +11401,7 @@ user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" Branch count: 42 Document count: 42 -Index: geneve-ut-770 +Index: geneve-ut-0770 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11415,7 +11415,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-771 +Index: geneve-ut-0771 ```python event.category:process and host.os.type:macos and event.type:start and @@ -11431,7 +11431,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-772 +Index: geneve-ut-0772 ```python file where event.type == "deletion" and @@ -11448,7 +11448,7 @@ file where event.type == "deletion" and Branch count: 33 Document count: 33 -Index: geneve-ut-773 +Index: geneve-ut-0773 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "whoami.exe" and @@ -11477,7 +11477,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 24 Document count: 24 -Index: geneve-ut-775 +Index: geneve-ut-0775 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -11510,7 +11510,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 12 Document count: 12 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11525,7 +11525,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-777 +Index: geneve-ut-0777 ```python event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" @@ -11537,7 +11537,7 @@ event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" Branch count: 16 Document count: 16 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python process where host.os.type == "windows" and event.action == "start" and @@ -11553,7 +11553,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11578,7 +11578,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -11593,7 +11593,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11606,7 +11606,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 216 Document count: 432 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python sequence by host.id with maxspan = 5s @@ -11646,7 +11646,7 @@ sequence by host.id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python event.action:"service-installed" and @@ -11659,7 +11659,7 @@ event.action:"service-installed" and Branch count: 2 Document count: 2 -Index: geneve-ut-784 +Index: geneve-ut-0784 ```python registry where host.os.type == "windows" and @@ -11674,7 +11674,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-785 +Index: geneve-ut-0785 ```python process where host.os.type == "windows" and event.type : "start" and @@ -11688,7 +11688,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-786 +Index: geneve-ut-0786 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11702,7 +11702,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python event.type:creation and event.module:zoom and event.dataset:zoom.webhook and diff --git a/tests/reports/alerts_from_rules-8.6.md b/tests/reports/alerts_from_rules-8.6.md index 8b8153fb..53d3ec3a 100644 --- a/tests/reports/alerts_from_rules-8.6.md +++ b/tests/reports/alerts_from_rules-8.6.md @@ -18,7 +18,7 @@ Rules version: 8.6.10 Branch count: 2 Document count: 2 -Index: geneve-ut-130 +Index: geneve-ut-0130 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -30,7 +30,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 4 Document count: 4 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -46,7 +46,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -59,7 +59,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -74,7 +74,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 1024 Document count: 10240 -Index: geneve-ut-476 +Index: geneve-ut-0476 Failure message(s): got 1000 signals, expected 1024 @@ -95,7 +95,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s Branch count: 1024 Document count: 10240 -Index: geneve-ut-479 +Index: geneve-ut-0479 Failure message(s): got 1000 signals, expected 1024 @@ -116,7 +116,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s Branch count: 160 Document count: 480 -Index: geneve-ut-493 +Index: geneve-ut-0493 Failure message(s): got 80 signals, expected 160 @@ -158,7 +158,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 1350 Document count: 1350 -Index: geneve-ut-527 +Index: geneve-ut-0527 Failure message(s): got 1000 signals, expected 1350 @@ -185,7 +185,7 @@ process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget" Branch count: 1296 Document count: 2592 -Index: geneve-ut-531 +Index: geneve-ut-0531 Failure message(s): got 1000 signals, expected 1296 @@ -205,7 +205,7 @@ sequence by host.id with maxspan=1s Branch count: 1056 Document count: 2112 -Index: geneve-ut-535 +Index: geneve-ut-0535 Failure message(s): got 1000 signals, expected 1056 @@ -233,7 +233,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1452 Document count: 2904 -Index: geneve-ut-536 +Index: geneve-ut-0536 Failure message(s): got 1000 signals, expected 1452 @@ -261,7 +261,7 @@ sequence by host.id, process.parent.entity_id with maxspan=1s Branch count: 2048 Document count: 22528 -Index: geneve-ut-537 +Index: geneve-ut-0537 Failure message(s): got 1000 signals, expected 2048 @@ -280,7 +280,7 @@ sequence by host.id, source.ip, user.name with maxspan=3s Branch count: 4608 Document count: 4608 -Index: geneve-ut-672 +Index: geneve-ut-0672 Failure message(s): got 1000 signals, expected 4608 @@ -333,7 +333,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -355,7 +355,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -385,7 +385,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 1 Document count: 1 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -397,7 +397,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-003 +Index: geneve-ut-0003 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success @@ -409,7 +409,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-0004 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -421,7 +421,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-0005 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -433,7 +433,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-0006 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -445,7 +445,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-0007 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -457,7 +457,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -469,7 +469,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -484,7 +484,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -496,7 +496,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -509,7 +509,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -521,7 +521,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -535,7 +535,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -547,7 +547,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -559,7 +559,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -571,7 +571,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -583,7 +583,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -596,7 +596,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-019 +Index: geneve-ut-0019 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -609,7 +609,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-020 +Index: geneve-ut-0020 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -623,7 +623,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-021 +Index: geneve-ut-0021 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -636,7 +636,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success @@ -648,7 +648,7 @@ event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -660,7 +660,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -672,7 +672,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-026 +Index: geneve-ut-0026 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -684,7 +684,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-027 +Index: geneve-ut-0027 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -696,7 +696,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -708,7 +708,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -720,7 +720,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -732,7 +732,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -744,7 +744,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-033 +Index: geneve-ut-0033 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -756,7 +756,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -768,7 +768,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -780,7 +780,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -792,7 +792,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -804,7 +804,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-038 +Index: geneve-ut-0038 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -816,7 +816,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-039 +Index: geneve-ut-0039 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -828,7 +828,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-040 +Index: geneve-ut-0040 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and @@ -841,7 +841,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -853,7 +853,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-042 +Index: geneve-ut-0042 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -868,7 +868,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-043 +Index: geneve-ut-0043 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -880,7 +880,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-044 +Index: geneve-ut-0044 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -892,7 +892,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-045 +Index: geneve-ut-0045 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -905,7 +905,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -918,7 +918,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -931,7 +931,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -946,7 +946,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 4 Document count: 4 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or @@ -959,7 +959,7 @@ UpdateSAMLProvider) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -972,7 +972,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 6 Document count: 6 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or @@ -986,7 +986,7 @@ RevokeSecurityGroupIngress) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and @@ -999,7 +999,7 @@ aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event. Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1011,7 +1011,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1023,7 +1023,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-055 +Index: geneve-ut-0055 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1035,7 +1035,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 1 Document count: 1 -Index: geneve-ut-058 +Index: geneve-ut-0058 ```python event.dataset: network_traffic.flow and event.type: connection @@ -1050,7 +1050,7 @@ event.dataset: network_traffic.flow and event.type: connection Branch count: 26 Document count: 26 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1078,7 +1078,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-060 +Index: geneve-ut-0060 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1116,7 +1116,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python any where event.action == "Directory Service Access" and event.code == "4662" and @@ -1151,7 +1151,7 @@ any where event.action == "Directory Service Access" and event.code == "4662" an Branch count: 4 Document count: 4 -Index: geneve-ut-063 +Index: geneve-ut-0063 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1167,7 +1167,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python sequence by winlog.computer_name with maxspan=5m @@ -1194,7 +1194,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-065 +Index: geneve-ut-0065 ```python process where event.type== "start" and event.action == "exec" and @@ -1212,7 +1212,7 @@ process where event.type== "start" and event.action == "exec" and Branch count: 36 Document count: 36 -Index: geneve-ut-066 +Index: geneve-ut-0066 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1232,7 +1232,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1249,7 +1249,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-068 +Index: geneve-ut-0068 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -1262,7 +1262,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 1 Document count: 1 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1274,7 +1274,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1286,7 +1286,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1301,7 +1301,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-073 +Index: geneve-ut-0073 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1313,7 +1313,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 1 Document count: 1 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.agent_id_status:agent_id_mismatch @@ -1325,7 +1325,7 @@ event.agent_id_status:agent_id_mismatch Branch count: 1 Document count: 2 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1344,7 +1344,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1357,7 +1357,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1369,7 +1369,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-083 +Index: geneve-ut-0083 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1384,7 +1384,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 1 Document count: 1 -Index: geneve-ut-084 +Index: geneve-ut-0084 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1396,7 +1396,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-085 +Index: geneve-ut-0085 ```python event.dataset:okta.system and event.action:user.mfa.factor.deactivate @@ -1408,7 +1408,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-086 +Index: geneve-ut-0086 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1420,7 +1420,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-087 +Index: geneve-ut-0087 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1432,7 +1432,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-088 +Index: geneve-ut-0088 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1444,7 +1444,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-089 +Index: geneve-ut-0089 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1456,7 +1456,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-090 +Index: geneve-ut-0090 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1468,7 +1468,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-091 +Index: geneve-ut-0091 ```python event.dataset:okta.system and event.action:zone.delete @@ -1480,7 +1480,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-092 +Index: geneve-ut-0092 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -1492,7 +1492,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-093 +Index: geneve-ut-0093 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -1504,7 +1504,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 2 Document count: 2 -Index: geneve-ut-094 +Index: geneve-ut-0094 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1517,7 +1517,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 17 Document count: 17 -Index: geneve-ut-095 +Index: geneve-ut-0095 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -1544,7 +1544,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -1560,7 +1560,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-097 +Index: geneve-ut-0097 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1573,7 +1573,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-098 +Index: geneve-ut-0098 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1592,7 +1592,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-099 +Index: geneve-ut-0099 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1607,7 +1607,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-100 +Index: geneve-ut-0100 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -1619,7 +1619,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-101 +Index: geneve-ut-0101 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -1631,7 +1631,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-102 +Index: geneve-ut-0102 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -1643,7 +1643,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -1655,7 +1655,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1674,7 +1674,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1692,7 +1692,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-106 +Index: geneve-ut-0106 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -1704,7 +1704,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-107 +Index: geneve-ut-0107 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -1716,7 +1716,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1729,7 +1729,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -1741,7 +1741,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 1 Document count: 1 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -1756,7 +1756,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-113 +Index: geneve-ut-0113 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -1770,7 +1770,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python event.dataset:azure.signinlogs and @@ -1784,7 +1784,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python event.dataset:azure.signinlogs and @@ -1797,7 +1797,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python event.dataset:azure.signinlogs and @@ -1811,7 +1811,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-117 +Index: geneve-ut-0117 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -1824,7 +1824,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -1836,7 +1836,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -1848,7 +1848,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python event.dataset:azure.activitylogs and @@ -1867,7 +1867,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.dataset:azure.activitylogs and @@ -1881,7 +1881,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-122 +Index: geneve-ut-0122 ```python event.dataset:azure.activitylogs and @@ -1899,7 +1899,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -1911,7 +1911,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -1926,7 +1926,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -1938,7 +1938,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -1951,7 +1951,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -1963,7 +1963,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-128 +Index: geneve-ut-0128 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -1975,7 +1975,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-129 +Index: geneve-ut-0129 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -1987,7 +1987,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-131 +Index: geneve-ut-0131 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -1999,7 +1999,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-132 +Index: geneve-ut-0132 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2011,7 +2011,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-133 +Index: geneve-ut-0133 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2029,7 +2029,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2041,7 +2041,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2054,7 +2054,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2067,7 +2067,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-138 +Index: geneve-ut-0138 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2082,7 +2082,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2094,7 +2094,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2106,7 +2106,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2118,7 +2118,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2130,7 +2130,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2142,7 +2142,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2154,7 +2154,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2172,7 +2172,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" @@ -2184,7 +2184,7 @@ process where host.os.type == "linux" and event.type != "end" and process.execut Branch count: 8 Document count: 8 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -2197,7 +2197,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 9 Document count: 9 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.category:file and event.type:change and @@ -2232,7 +2232,7 @@ event.category:file and event.type:change and Branch count: 8 Document count: 8 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python process where host.os.type == "linux" and event.type == "start" and @@ -2252,7 +2252,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2270,7 +2270,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2286,7 +2286,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 24 Document count: 24 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2302,7 +2302,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2324,7 +2324,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2338,7 +2338,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -2355,7 +2355,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 12 Document count: 12 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -2375,7 +2375,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python sequence by process.entity_id @@ -2395,7 +2395,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2412,7 +2412,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 56 Document count: 56 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python registry where host.os.type == "windows" and @@ -2464,7 +2464,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python library where @@ -2484,7 +2484,7 @@ library where Branch count: 24 Document count: 24 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -2509,7 +2509,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-165 +Index: geneve-ut-0165 ```python sequence by process.entity_id @@ -2529,7 +2529,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python sequence by process.entity_id @@ -2549,7 +2549,7 @@ sequence by process.entity_id Branch count: 24 Document count: 24 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2575,7 +2575,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -2595,7 +2595,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-170 +Index: geneve-ut-0170 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -2608,7 +2608,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-171 +Index: geneve-ut-0171 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" @@ -2620,7 +2620,7 @@ file where host.os.type == "linux" and event.type == "creation" and file.extensi Branch count: 2 Document count: 2 -Index: geneve-ut-172 +Index: geneve-ut-0172 ```python registry where host.os.type == "windows" and registry.path : ( @@ -2635,7 +2635,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 2 Document count: 2 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -2647,7 +2647,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 16 Document count: 16 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -2680,7 +2680,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 2 Document count: 2 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -2695,7 +2695,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2710,7 +2710,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2722,7 +2722,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2734,7 +2734,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2746,7 +2746,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2758,7 +2758,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -2770,7 +2770,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python event.dataset:cyberarkpas.audit and @@ -2785,7 +2785,7 @@ event.dataset:cyberarkpas.audit and Branch count: 4 Document count: 4 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -2803,7 +2803,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 3 Document count: 3 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python event.dataset: network_traffic.tls and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or @@ -2817,7 +2817,7 @@ event.dataset: network_traffic.tls and (tls.server.hash.md5:950098276A495286EB2A Branch count: 2 Document count: 2 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2831,7 +2831,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2845,7 +2845,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 8 -Index: geneve-ut-189 +Index: geneve-ut-0189 ```python sequence by process.entity_id @@ -2872,7 +2872,7 @@ sequence by process.entity_id Branch count: 12 Document count: 12 -Index: geneve-ut-190 +Index: geneve-ut-0190 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2894,7 +2894,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2911,7 +2911,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -2933,7 +2933,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2947,7 +2947,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -2959,7 +2959,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python event.category:process and host.os.type:macos and event.type:start and @@ -2972,7 +2972,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -2984,7 +2984,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 8 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python sequence by process.entity_id with maxspan=1m @@ -2999,7 +2999,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 3 Document count: 3 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python process where host.os.type == "linux" and event.type == "start" and process.name : "find" and @@ -3012,7 +3012,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 27 Document count: 27 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3026,7 +3026,7 @@ process.args : ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", Branch count: 3 Document count: 3 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3039,7 +3039,7 @@ process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/ Branch count: 2 Document count: 2 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -3051,7 +3051,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 201 Document count: 201 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python process where @@ -3082,7 +3082,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3095,7 +3095,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3109,7 +3109,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python registry where host.os.type == "windows" and @@ -3123,7 +3123,7 @@ registry where host.os.type == "windows" and Branch count: 34 Document count: 34 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3147,7 +3147,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -3159,7 +3159,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 2 Document count: 2 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3173,7 +3173,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3189,7 +3189,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3227,7 +3227,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 64 Document count: 64 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3252,7 +3252,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3268,7 +3268,7 @@ process.group_leader.name : "qualys-cloud-agent" Branch count: 1 Document count: 1 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python file where host.os.type == "linux" and event.action == "opened-file" and @@ -3281,7 +3281,7 @@ file.path == "/proc/modules" and not process.parent.pid == 1 Branch count: 4 Document count: 4 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python iam where event.action == "user-member-enumerated" and @@ -3338,7 +3338,7 @@ iam where event.action == "user-member-enumerated" and Branch count: 46 Document count: 46 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -3368,7 +3368,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 7 Document count: 7 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python event.category:process and host.os.type:windows and @@ -3383,7 +3383,7 @@ event.category:process and host.os.type:windows and Branch count: 2 Document count: 2 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3402,7 +3402,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python sequence with maxspan=2h @@ -3425,7 +3425,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-221 +Index: geneve-ut-0221 ```python sequence with maxspan=2h @@ -3450,7 +3450,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -3479,7 +3479,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3497,7 +3497,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -3509,7 +3509,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3524,7 +3524,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -3536,7 +3536,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 4 Document count: 4 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python process where host.os.type == "windows" and event.type : "start" and @@ -3561,7 +3561,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -3573,7 +3573,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-229 +Index: geneve-ut-0229 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -3587,7 +3587,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -3600,7 +3600,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-231 +Index: geneve-ut-0231 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3612,7 +3612,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3624,7 +3624,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3638,7 +3638,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -3650,7 +3650,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 19 Document count: 19 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3701,7 +3701,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 1 -Index: geneve-ut-237 +Index: geneve-ut-0237 ```python file where host.os.type == "windows" and event.code : "2" and @@ -3730,7 +3730,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 8 Document count: 8 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and @@ -3743,7 +3743,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 12 Document count: 12 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python process where host.os.type == "linux" and event.type == "start"and @@ -3759,7 +3759,7 @@ process where host.os.type == "linux" and event.type == "start"and Branch count: 375 Document count: 750 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python sequence by process.entity_id @@ -3786,7 +3786,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python process where host.os.type == "linux" and event.type == "start" and user.name == "root" and @@ -3800,7 +3800,7 @@ process where host.os.type == "linux" and event.type == "start" and user.name == Branch count: 11 Document count: 11 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3821,7 +3821,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -3847,7 +3847,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python event.dataset: google_workspace.alert @@ -3859,7 +3859,7 @@ event.dataset: google_workspace.alert Branch count: 4 Document count: 4 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" and @@ -3873,7 +3873,7 @@ registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Mi Branch count: 2 Document count: 2 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -3885,7 +3885,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -3897,7 +3897,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -3909,7 +3909,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -3921,7 +3921,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -3933,7 +3933,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -3945,7 +3945,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -3957,7 +3957,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -3969,7 +3969,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -3981,7 +3981,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-261 +Index: geneve-ut-0261 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -3993,7 +3993,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -4005,7 +4005,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-263 +Index: geneve-ut-0263 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -4017,7 +4017,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -4029,7 +4029,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-265 +Index: geneve-ut-0265 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -4041,7 +4041,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -4053,7 +4053,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -4065,7 +4065,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-268 +Index: geneve-ut-0268 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -4077,7 +4077,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-269 +Index: geneve-ut-0269 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -4089,7 +4089,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -4101,7 +4101,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -4113,7 +4113,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -4125,7 +4125,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -4137,7 +4137,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -4149,7 +4149,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -4162,7 +4162,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-276 +Index: geneve-ut-0276 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -4174,7 +4174,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-277 +Index: geneve-ut-0277 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS @@ -4186,7 +4186,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -4199,7 +4199,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-279 +Index: geneve-ut-0279 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -4211,7 +4211,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-280 +Index: geneve-ut-0280 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4224,7 +4224,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -4236,7 +4236,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -4249,7 +4249,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -4266,7 +4266,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -4280,7 +4280,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-285 +Index: geneve-ut-0285 ```python sequence by source.user.email with maxspan=3m @@ -4304,7 +4304,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -4325,7 +4325,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4339,7 +4339,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -4351,7 +4351,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -4363,7 +4363,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -4376,7 +4376,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4389,7 +4389,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python sequence by process.entity_id with maxspan=5m @@ -4406,7 +4406,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python any where @@ -4433,7 +4433,7 @@ any where Branch count: 6 Document count: 6 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3) @@ -4445,7 +4445,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-300 +Index: geneve-ut-0300 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4460,7 +4460,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python event.dataset: network_traffic.flow and network.transport:udp and destination.port:4500 @@ -4472,7 +4472,7 @@ event.dataset: network_traffic.flow and network.transport:udp and destination.po Branch count: 8 Document count: 8 -Index: geneve-ut-303 +Index: geneve-ut-0303 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4489,7 +4489,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python sequence with maxspan=1m @@ -4508,7 +4508,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python sequence by host.id with maxspan=1m @@ -4526,7 +4526,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python sequence by host.id with maxspan=5s @@ -4545,7 +4545,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-308 +Index: geneve-ut-0308 ```python sequence by host.id with maxspan = 30s @@ -4561,7 +4561,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python sequence by host.id with maxspan=30s @@ -4577,7 +4577,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 4 -Index: geneve-ut-311 +Index: geneve-ut-0311 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -4593,7 +4593,7 @@ sequence by process.entity_id Branch count: 4 Document count: 8 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python sequence by process.entity_id with maxspan = 5m @@ -4609,7 +4609,7 @@ sequence by process.entity_id with maxspan = 5m Branch count: 4 Document count: 4 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python registry where host.os.type == "windows" and @@ -4628,7 +4628,7 @@ registry where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -4641,7 +4641,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -4659,7 +4659,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 1 Document count: 1 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python event.action:modified-user-account and event.code:4738 and @@ -4672,7 +4672,7 @@ event.action:modified-user-account and event.code:4738 and Branch count: 2 Document count: 2 -Index: geneve-ut-317 +Index: geneve-ut-0317 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4686,7 +4686,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-319 +Index: geneve-ut-0319 ```python network where host.os.type == "windows" and event.type == "start" and network.direction : ("outgoing", "egress") and @@ -4734,7 +4734,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 6 Document count: 6 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and @@ -4747,7 +4747,7 @@ process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") Branch count: 3 Document count: 3 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python process where host.os.type == "linux" and event.action == "exec" and process.name == "rmmod" or @@ -4760,7 +4760,7 @@ process where host.os.type == "linux" and event.action == "exec" and process.nam Branch count: 1 Document count: 1 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python process where host.os.type == "linux" and event.type == "start" and @@ -4773,7 +4773,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python process where host.os.type == "macos" and event.type == "start" and @@ -4788,7 +4788,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python event.dataset:kubernetes.audit_logs @@ -4803,7 +4803,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.dataset: "kubernetes.audit_logs" @@ -4817,7 +4817,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python event.dataset : "kubernetes.audit_logs" @@ -4833,7 +4833,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.dataset : "kubernetes.audit_logs" @@ -4850,7 +4850,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python event.dataset : "kubernetes.audit_logs" @@ -4867,7 +4867,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python event.dataset : "kubernetes.audit_logs" @@ -4884,7 +4884,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python event.dataset : "kubernetes.audit_logs" @@ -4917,7 +4917,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-332 +Index: geneve-ut-0332 ```python event.dataset : "kubernetes.audit_logs" @@ -4934,7 +4934,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-333 +Index: geneve-ut-0333 ```python event.dataset : "kubernetes.audit_logs" @@ -4951,7 +4951,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-334 +Index: geneve-ut-0334 ```python event.dataset : "kubernetes.audit_logs" @@ -4968,7 +4968,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python event.dataset : "kubernetes.audit_logs" @@ -4984,7 +4984,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python file where host.os.type == "windows" and file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdmp", "Coredump.dmp") and @@ -5003,7 +5003,7 @@ file where host.os.type == "windows" and file.name : ("lsass*.dmp", "dumpert.dmp Branch count: 18 Document count: 18 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python any where event.action == "File System" and event.code == "4656" and @@ -5037,7 +5037,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 8 Document count: 8 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5055,7 +5055,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python sequence by host.id with maxspan=1m @@ -5071,7 +5071,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-340 +Index: geneve-ut-0340 ```python sequence by host.id with maxspan=1m @@ -5085,7 +5085,7 @@ sequence by host.id with maxspan=1m Branch count: 95 Document count: 95 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python process where host.os.type == "linux" and event.type == "start" and @@ -5141,7 +5141,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python process where event.type == "start" and @@ -5158,7 +5158,7 @@ process where event.type == "start" and Branch count: 60 Document count: 60 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python process where host.os.type == "linux" and event.type == "start" and @@ -5178,7 +5178,7 @@ process.args in ("root", "admin", "wheel", "staff", "sudo", Branch count: 4 Document count: 4 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python registry where host.os.type == "windows" and registry.path : ( @@ -5193,7 +5193,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 600 Document count: 1200 -Index: geneve-ut-347 +Index: geneve-ut-0347 ```python sequence with maxspan=1m @@ -5218,7 +5218,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -5230,7 +5230,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 96 Document count: 96 -Index: geneve-ut-349 +Index: geneve-ut-0349 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5254,7 +5254,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 48 Document count: 96 -Index: geneve-ut-350 +Index: geneve-ut-0350 ```python sequence by host.id, user.id with maxspan=30s @@ -5268,7 +5268,7 @@ sequence by host.id, user.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-351 +Index: geneve-ut-0351 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -5280,7 +5280,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-352 +Index: geneve-ut-0352 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -5292,7 +5292,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-354 +Index: geneve-ut-0354 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -5304,7 +5304,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-355 +Index: geneve-ut-0355 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -5316,7 +5316,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-356 +Index: geneve-ut-0356 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -5328,7 +5328,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-357 +Index: geneve-ut-0357 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -5340,7 +5340,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-358 +Index: geneve-ut-0358 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -5352,7 +5352,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-359 +Index: geneve-ut-0359 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -5364,7 +5364,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-360 +Index: geneve-ut-0360 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -5376,7 +5376,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-361 +Index: geneve-ut-0361 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -5388,7 +5388,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-362 +Index: geneve-ut-0362 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -5400,7 +5400,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-363 +Index: geneve-ut-0363 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -5412,7 +5412,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-364 +Index: geneve-ut-0364 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -5424,7 +5424,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-365 +Index: geneve-ut-0365 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -5437,7 +5437,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-366 +Index: geneve-ut-0366 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -5456,7 +5456,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-367 +Index: geneve-ut-0367 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -5468,7 +5468,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-368 +Index: geneve-ut-0368 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -5483,7 +5483,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -5497,7 +5497,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -5511,7 +5511,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -5523,7 +5523,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -5535,7 +5535,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 3 Document count: 3 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5549,7 +5549,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5563,7 +5563,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5577,7 +5577,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5598,7 +5598,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5612,7 +5612,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5631,7 +5631,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -5656,7 +5656,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python event.category: "process" and host.os.type:windows and @@ -5674,7 +5674,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5689,7 +5689,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5703,7 +5703,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5717,7 +5717,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 30 Document count: 30 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5757,7 +5757,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 1 Document count: 1 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -5769,7 +5769,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 12 Document count: 12 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5787,7 +5787,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 4 Document count: 4 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5804,7 +5804,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and @@ -5817,7 +5817,7 @@ event.action:(updated or renamed or rename) Branch count: 1 Document count: 1 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python event.category:process and host.os.type:macos and event.type:start and @@ -5842,7 +5842,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.category:file and host.os.type:linux and event.type:change and @@ -5860,7 +5860,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.category:process and host.os.type:macos and event.type:start and @@ -5882,7 +5882,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 4 Document count: 4 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.category:file and event.type:change and @@ -5922,7 +5922,7 @@ event.category:file and event.type:change and Branch count: 16 Document count: 16 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -5939,7 +5939,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 1 Document count: 1 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -5953,7 +5953,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 2 Document count: 2 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -5965,7 +5965,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 12 Document count: 12 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5984,7 +5984,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python sequence by process.entity_id @@ -5999,7 +5999,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python sequence by process.entity_id with maxspan=10m @@ -6017,7 +6017,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -6029,7 +6029,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -6054,7 +6054,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -6080,7 +6080,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-404 +Index: geneve-ut-0404 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -6104,7 +6104,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 84 Document count: 84 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6123,7 +6123,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -6138,7 +6138,7 @@ not process.args : "/usr/bin/snap" Branch count: 1 Document count: 2 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python sequence by process.entity_id @@ -6158,7 +6158,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python sequence by process.entity_id @@ -6177,7 +6177,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python sequence by process.entity_id @@ -6196,7 +6196,7 @@ sequence by process.entity_id Branch count: 18 Document count: 36 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python sequence by process.entity_id @@ -6221,7 +6221,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python sequence by process.entity_id @@ -6243,7 +6243,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python registry where host.os.type == "windows" and registry.data.strings != null and @@ -6266,7 +6266,7 @@ registry where host.os.type == "windows" and registry.data.strings != null and Branch count: 3 Document count: 3 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6279,7 +6279,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -6293,7 +6293,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping @@ -6305,7 +6305,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -6317,7 +6317,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-422 +Index: geneve-ut-0422 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -6331,7 +6331,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -6343,7 +6343,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 2 Document count: 2 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -6355,7 +6355,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -6367,7 +6367,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-427 +Index: geneve-ut-0427 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -6379,7 +6379,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 36 Document count: 72 -Index: geneve-ut-428 +Index: geneve-ut-0428 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -6394,7 +6394,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-430 +Index: geneve-ut-0430 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6408,7 +6408,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-431 +Index: geneve-ut-0431 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -6420,7 +6420,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-432 +Index: geneve-ut-0432 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -6432,7 +6432,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-433 +Index: geneve-ut-0433 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6450,7 +6450,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-434 +Index: geneve-ut-0434 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -6463,7 +6463,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -6477,7 +6477,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 66 Document count: 132 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python sequence by host.id with maxspan=5s @@ -6493,7 +6493,7 @@ sequence by host.id with maxspan=5s Branch count: 12 Document count: 12 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python /* Registry Path ends with backslash */ @@ -6518,7 +6518,7 @@ registry where host.os.type == "windows" and /* length(registry.data.strings) > Branch count: 32 Document count: 32 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -6543,7 +6543,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python process where host.os.type == "macos" and event.type == "start" and @@ -6563,7 +6563,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-440 +Index: geneve-ut-0440 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6582,7 +6582,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-441 +Index: geneve-ut-0441 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6595,7 +6595,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-442 +Index: geneve-ut-0442 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6611,7 +6611,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6624,7 +6624,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-444 +Index: geneve-ut-0444 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6643,7 +6643,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6671,7 +6671,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6686,7 +6686,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python registry where host.os.type == "windows" and @@ -6749,7 +6749,7 @@ registry where host.os.type == "windows" and Branch count: 7 Document count: 7 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and @@ -6772,7 +6772,7 @@ file where host.os.type == "windows" and event.type != "deletion" and user.domai Branch count: 2 Document count: 2 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python registry where host.os.type == "windows" and registry.path : ( @@ -6787,7 +6787,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -6805,7 +6805,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -6817,7 +6817,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 1 Document count: 3 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python sequence by user.email with maxspan=10m @@ -6832,7 +6832,7 @@ sequence by user.email with maxspan=10m Branch count: 16 Document count: 16 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -6845,7 +6845,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -6859,7 +6859,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 8 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and @@ -6872,7 +6872,7 @@ event.type == "start" and user.name == "postgres" and (process.parent.args : "*s Branch count: 2 Document count: 6 -Index: geneve-ut-458 +Index: geneve-ut-0458 ```python sequence by host.id, user.name with maxspan = 5s @@ -6901,7 +6901,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 63 Document count: 63 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python process where event.type in ("start", "process_started", "info") and @@ -6925,7 +6925,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 6 Document count: 6 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python any where event.action == "Directory Service Access" and @@ -6957,7 +6957,7 @@ any where event.action == "Directory Service Access" and Branch count: 1 Document count: 1 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python process where host.os.type == "windows" and event.code == "10" and @@ -6975,7 +6975,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python process where host.os.type == "windows" and event.code == "10" and @@ -6994,7 +6994,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 4 -Index: geneve-ut-463 +Index: geneve-ut-0463 ```python sequence by process.entity_id with maxspan=1m @@ -7012,7 +7012,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python sequence by process.entity_id @@ -7027,7 +7027,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python any where processor.name == "transaction" and @@ -7041,7 +7041,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7062,7 +7062,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7083,7 +7083,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined) @@ -7095,7 +7095,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python process where event.action == "exec" and process.parent.name =="proot" and host.os.type == "linux" @@ -7107,7 +7107,7 @@ process where event.action == "exec" and process.parent.name =="proot" and host Branch count: 2 Document count: 2 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0 @@ -7119,7 +7119,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-473 +Index: geneve-ut-0473 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7132,7 +7132,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7145,7 +7145,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -7158,7 +7158,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python process where process.name=="mount" and event.action =="exec" and @@ -7172,7 +7172,7 @@ process where process.name=="mount" and event.action =="exec" and Branch count: 60 Document count: 120 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python sequence by host.id with maxspan=1m @@ -7208,7 +7208,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7221,7 +7221,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7239,7 +7239,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -7253,7 +7253,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 16 Document count: 32 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python sequence by host.id with maxspan=30s @@ -7271,7 +7271,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python process where host.os.type == "linux" and event.type == "start" and @@ -7285,7 +7285,7 @@ process.args : "-u" and process.args : "0" and process.args : "-o" Branch count: 3 Document count: 6 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python sequence by process.parent.name,host.name with maxspan=1m @@ -7302,7 +7302,7 @@ sequence by process.parent.name,host.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python process where host.os.type == "linux" and process.name == "unshadow" and @@ -7315,7 +7315,7 @@ process where host.os.type == "linux" and process.name == "unshadow" and Branch count: 1 Document count: 10 -Index: geneve-ut-490 +Index: geneve-ut-0490 ```python sequence by host.id, process.parent.executable, user.name with maxspan=1s @@ -7329,7 +7329,7 @@ sequence by host.id, process.parent.executable, user.name with maxspan=1s Branch count: 6 Document count: 6 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7348,7 +7348,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python process where host.os.type == "windows" and @@ -7402,7 +7402,7 @@ process where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -7414,7 +7414,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7454,7 +7454,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 8 -Index: geneve-ut-498 +Index: geneve-ut-0498 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -7472,7 +7472,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4 Document count: 4 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python network where process.name : ("http", "https") @@ -7487,7 +7487,7 @@ network where process.name : ("http", "https") Branch count: 2 Document count: 4 -Index: geneve-ut-501 +Index: geneve-ut-0501 ```python sequence by process.entity_id with maxspan=1m @@ -7506,7 +7506,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -7546,7 +7546,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 1 Document count: 1 -Index: geneve-ut-508 +Index: geneve-ut-0508 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -7559,7 +7559,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-509 +Index: geneve-ut-0509 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -7574,7 +7574,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -7587,7 +7587,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -7604,7 +7604,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 8 Document count: 8 -Index: geneve-ut-512 +Index: geneve-ut-0512 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -7624,7 +7624,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 696 Document count: 696 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python event.category:process and host.os.type:windows and @@ -7816,7 +7816,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-514 +Index: geneve-ut-0514 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -7832,7 +7832,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-515 +Index: geneve-ut-0515 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -7846,7 +7846,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -7863,7 +7863,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 8 Document count: 8 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python /* This rule is compatible with both Sysmon and Elastic Endpoint */ @@ -7886,7 +7886,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 6 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -7902,7 +7902,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -7914,7 +7914,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 1 Document count: 1 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -7926,7 +7926,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python iam where event.action == "renamed-user-account" and @@ -7940,7 +7940,7 @@ iam where event.action == "renamed-user-account" and Branch count: 1 Document count: 2 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python sequence with maxspan=5s @@ -7960,7 +7960,7 @@ sequence with maxspan=5s Branch count: 2 Document count: 2 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python process where host.os.type == "linux" and @@ -7974,7 +7974,7 @@ process where host.os.type == "linux" and Branch count: 1 Document count: 1 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python process where host.os.type == "linux" and event.type == "start" and @@ -7987,7 +7987,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python sequence by host.id, user.id with maxspan=1m @@ -8011,7 +8011,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 5 Document count: 5 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python /* Identifies the modification of RDP Shadow registry or @@ -8038,7 +8038,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-530 +Index: geneve-ut-0530 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8053,7 +8053,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 80 Document count: 80 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python process where event.type in ("start", "process_started") and @@ -8072,7 +8072,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 64 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python sequence by host.id with maxspan=5s @@ -8090,7 +8090,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-539 +Index: geneve-ut-0539 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -8102,7 +8102,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 1 Document count: 1 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -8116,7 +8116,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 32 Document count: 96 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -8144,7 +8144,7 @@ sequence by host.id with maxspan=1m Branch count: 96 Document count: 96 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python file where event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -8174,7 +8174,7 @@ file.path : ( Branch count: 8 Document count: 16 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -8190,7 +8190,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 21 Document count: 21 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python event.category:process and host.os.type:windows and @@ -8215,7 +8215,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python event.category:process and host.os.type:windows and @@ -8233,7 +8233,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python event.category:process and host.os.type:windows and @@ -8256,7 +8256,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -8268,7 +8268,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python event.category:process and host.os.type:windows and @@ -8291,7 +8291,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-554 +Index: geneve-ut-0554 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8307,7 +8307,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python event.category:process and host.os.type:windows and @@ -8346,7 +8346,7 @@ event.category:process and host.os.type:windows and Branch count: 2 Document count: 2 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8360,7 +8360,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -8374,7 +8374,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-568 +Index: geneve-ut-0568 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -8387,7 +8387,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 4 Document count: 4 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python registry where host.os.type == "windows" and registry.path : ( @@ -8405,7 +8405,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-570 +Index: geneve-ut-0570 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -8422,7 +8422,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-572 +Index: geneve-ut-0572 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8436,7 +8436,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 96 Document count: 96 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -8511,7 +8511,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python sequence by winlog.computer_name with maxspan=1m @@ -8532,7 +8532,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 46 Document count: 46 -Index: geneve-ut-575 +Index: geneve-ut-0575 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8552,7 +8552,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 66 Document count: 66 -Index: geneve-ut-577 +Index: geneve-ut-0577 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8590,7 +8590,7 @@ process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Wind Branch count: 2 Document count: 2 -Index: geneve-ut-578 +Index: geneve-ut-0578 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -8602,7 +8602,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -8614,7 +8614,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-580 +Index: geneve-ut-0580 ```python process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" @@ -8626,7 +8626,7 @@ process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemote Branch count: 3 Document count: 6 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python sequence by host.id with maxspan=5s @@ -8650,7 +8650,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8664,7 +8664,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -8677,7 +8677,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 2 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python sequence by process.entity_id @@ -8701,7 +8701,7 @@ sequence by process.entity_id Branch count: 46 Document count: 46 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8724,7 +8724,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python registry where host.os.type == "windows" and @@ -8745,7 +8745,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-591 +Index: geneve-ut-0591 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -8757,7 +8757,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -8769,7 +8769,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python registry where host.os.type == "windows" and @@ -8786,7 +8786,7 @@ registry where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python registry where host.os.type == "windows" and @@ -8808,7 +8808,7 @@ registry where host.os.type == "windows" and Branch count: 18 Document count: 18 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8823,7 +8823,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python sequence with maxspan=1m @@ -8837,7 +8837,7 @@ sequence with maxspan=1m Branch count: 16 Document count: 16 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8851,7 +8851,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-601 +Index: geneve-ut-0601 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -8864,7 +8864,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-602 +Index: geneve-ut-0602 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8878,7 +8878,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8892,7 +8892,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -8909,7 +8909,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python sequence by host.id, process.entity_id @@ -8925,7 +8925,7 @@ sequence by host.id, process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python /* Network Logon followed by Scheduled Task creation */ @@ -8945,7 +8945,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8960,7 +8960,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -8979,7 +8979,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 12 Document count: 12 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9000,7 +9000,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -9042,7 +9042,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 8 Document count: 16 -Index: geneve-ut-611 +Index: geneve-ut-0611 ```python sequence with maxspan=1s @@ -9089,7 +9089,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-612 +Index: geneve-ut-0612 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9102,7 +9102,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-614 +Index: geneve-ut-0614 ```python event.dataset: (network_traffic.http or network_traffic.tls) and @@ -9148,7 +9148,7 @@ event.dataset: (network_traffic.http or network_traffic.tls) and Branch count: 4 Document count: 4 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -9167,7 +9167,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 8 Document count: 8 -Index: geneve-ut-618 +Index: geneve-ut-0618 ```python event.category:file and event.type:(change or creation) and @@ -9193,7 +9193,7 @@ event.category:file and event.type:(change or creation) and Branch count: 60 Document count: 120 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python sequence by host.id with maxspan = 30s @@ -9212,7 +9212,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 4 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python registry where host.os.type == "windows" and @@ -9228,7 +9228,7 @@ registry where host.os.type == "windows" and Branch count: 27 Document count: 27 -Index: geneve-ut-623 +Index: geneve-ut-0623 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -9269,7 +9269,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -9303,7 +9303,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9317,7 +9317,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9331,7 +9331,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 58 Document count: 58 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python process where event.type == "start" and @@ -9377,7 +9377,7 @@ process.name : "grep" and user.id != "0" and Branch count: 135 Document count: 135 -Index: geneve-ut-628 +Index: geneve-ut-0628 ```python event.category:process and host.os.type:linux and event.type:start and @@ -9420,7 +9420,7 @@ event.category:process and host.os.type:linux and event.type:start and Branch count: 1 Document count: 1 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -9433,7 +9433,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 16 Document count: 32 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python sequence by process.entity_id with maxspan = 1m @@ -9450,7 +9450,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -9470,7 +9470,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python sequence by winlog.computer_name with maxspan=5m @@ -9494,7 +9494,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 1 Document count: 1 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -9506,7 +9506,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 6 Document count: 12 -Index: geneve-ut-636 +Index: geneve-ut-0636 ```python sequence by host.id with maxspan=5s @@ -9520,7 +9520,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python process where host.os.type == "windows" and event.type == "start" @@ -9534,7 +9534,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 4 Document count: 4 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9548,7 +9548,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 28 Document count: 28 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python registry where host.os.type == "windows" and registry.path : ( @@ -9572,7 +9572,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 12 Document count: 24 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -9597,7 +9597,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-648 +Index: geneve-ut-0648 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -9630,7 +9630,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-651 +Index: geneve-ut-0651 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -9655,7 +9655,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 2 Document count: 2 -Index: geneve-ut-653 +Index: geneve-ut-0653 ```python event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) @@ -9667,7 +9667,7 @@ event.category:file and event.type:change and file.path:(/etc/sudoers* or /priva Branch count: 16 Document count: 16 -Index: geneve-ut-654 +Index: geneve-ut-0654 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9681,7 +9681,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-655 +Index: geneve-ut-0655 ```python event.category:process and host.os.type:windows and @@ -9706,7 +9706,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-656 +Index: geneve-ut-0656 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -9718,7 +9718,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 2 Document count: 2 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python file where host.os.type == "windows" and event.action != "deletion" and file.path != null and @@ -9731,7 +9731,7 @@ file where host.os.type == "windows" and event.action != "deletion" and file.pat Branch count: 2 Document count: 4 -Index: geneve-ut-658 +Index: geneve-ut-0658 ```python sequence by host.id with maxspan=30s @@ -9745,7 +9745,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -9775,7 +9775,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-660 +Index: geneve-ut-0660 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -9799,7 +9799,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9813,7 +9813,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9836,7 +9836,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9850,7 +9850,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -9866,7 +9866,7 @@ not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*n Branch count: 1 Document count: 1 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python file where host.os.type == "macos" and event.type != "deletion" and process.name != null and @@ -9879,7 +9879,7 @@ file where host.os.type == "macos" and event.type != "deletion" and process.name Branch count: 189 Document count: 189 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python any where host.os.type == "windows" and @@ -9912,7 +9912,7 @@ any where host.os.type == "windows" and Branch count: 44 Document count: 44 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -9948,7 +9948,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9967,7 +9967,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and @@ -9983,7 +9983,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 14 Document count: 14 -Index: geneve-ut-673 +Index: geneve-ut-0673 ```python process where host.os.type == "windows" and event.type : "start" and @@ -10003,7 +10003,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10027,7 +10027,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-678 +Index: geneve-ut-0678 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -10040,7 +10040,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 30 Document count: 30 -Index: geneve-ut-679 +Index: geneve-ut-0679 ```python any where host.os.type == "windows" and @@ -10055,7 +10055,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-680 +Index: geneve-ut-0680 ```python registry where host.os.type == "windows" and registry.path : ( @@ -10072,7 +10072,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-681 +Index: geneve-ut-0681 ```python process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and @@ -10086,7 +10086,7 @@ process where host.os.type == "windows" and event.action == "start" and process. Branch count: 16 Document count: 16 -Index: geneve-ut-682 +Index: geneve-ut-0682 ```python process where event.type in ("start", "process_started") and @@ -10100,7 +10100,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python process where host.os.type == "windows" and event.code == "10" and @@ -10119,7 +10119,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 1 Document count: 1 -Index: geneve-ut-684 +Index: geneve-ut-0684 ```python process where host.os.type == "windows" and event.code == "10" and @@ -10149,7 +10149,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 456 Document count: 456 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10169,7 +10169,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 52 Document count: 52 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10190,7 +10190,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 64 Document count: 128 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python sequence by process.entity_id with maxspan=5m @@ -10213,7 +10213,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 14 Document count: 14 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python file where host.os.type == "linux" and event.type == "creation" and @@ -10227,7 +10227,7 @@ file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.servic Branch count: 9 Document count: 9 -Index: geneve-ut-691 +Index: geneve-ut-0691 ```python file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and @@ -10241,7 +10241,7 @@ file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and n Branch count: 2 Document count: 2 -Index: geneve-ut-692 +Index: geneve-ut-0692 ```python library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and @@ -10317,7 +10317,7 @@ library where host.os.type == "windows" and process.executable : "?:\\Windows\\S Branch count: 1 Document count: 2 -Index: geneve-ut-694 +Index: geneve-ut-0694 ```python sequence by process.entity_id with maxspan=1m @@ -10333,7 +10333,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 212 Document count: 212 -Index: geneve-ut-695 +Index: geneve-ut-0695 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10357,7 +10357,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python event.category:process and host.os.type:windows and @@ -10372,7 +10372,7 @@ event.category:process and host.os.type:windows and Branch count: 48 Document count: 48 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python library where host.os.type == "windows" and @@ -10411,7 +10411,7 @@ library where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python file where host.os.type == "windows" and event.type : "deletion" and @@ -10425,7 +10425,7 @@ file where host.os.type == "windows" and event.type : "deletion" and Branch count: 4 Document count: 8 -Index: geneve-ut-700 +Index: geneve-ut-0700 ```python sequence by host.id with maxspan=30s @@ -10449,7 +10449,7 @@ sequence by host.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -10482,7 +10482,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -10501,7 +10501,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10514,7 +10514,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python process where host.os.type == "linux" and @@ -10529,7 +10529,7 @@ process.executable : ("*sh", "python*", "perl", "php*") Branch count: 48 Document count: 48 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python any where host.os.type == "windows" and @@ -10557,7 +10557,7 @@ any where host.os.type == "windows" and Branch count: 1 Document count: 2 -Index: geneve-ut-709 +Index: geneve-ut-0709 ```python sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m @@ -10575,7 +10575,7 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= Branch count: 9 Document count: 9 -Index: geneve-ut-710 +Index: geneve-ut-0710 ```python file where host.os.type == "linux" and event.action == "rename" and @@ -10589,7 +10589,7 @@ and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", Branch count: 1 Document count: 1 -Index: geneve-ut-711 +Index: geneve-ut-0711 ```python file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and @@ -10602,7 +10602,7 @@ file.Ext.original.path : "/usr/lib/vmware/*" Branch count: 2 Document count: 4 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python sequence by process.entity_id with maxspan=2m @@ -10636,7 +10636,7 @@ sequence by process.entity_id with maxspan=2m Branch count: 2 Document count: 2 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10661,7 +10661,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python registry where host.os.type == "windows" and @@ -10691,7 +10691,7 @@ registry where host.os.type == "windows" and Branch count: 9 Document count: 9 -Index: geneve-ut-716 +Index: geneve-ut-0716 ```python file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and @@ -10704,7 +10704,7 @@ file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and not pro Branch count: 2 Document count: 2 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python process where host.os.type == "linux" and event.type == "end" and process.name : ("vmware-vmx", "vmx") @@ -10717,7 +10717,7 @@ and process.parent.name : "kill" Branch count: 30 Document count: 30 -Index: geneve-ut-719 +Index: geneve-ut-0719 ```python any where host.os.type == "windows" and @@ -10732,7 +10732,7 @@ any where host.os.type == "windows" and Branch count: 48 Document count: 96 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python sequence by process.entity_id with maxspan = 2m @@ -10750,7 +10750,7 @@ sequence by process.entity_id with maxspan = 2m Branch count: 1 Document count: 1 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10769,7 +10769,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-722 +Index: geneve-ut-0722 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10782,7 +10782,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 114 Document count: 114 -Index: geneve-ut-723 +Index: geneve-ut-0723 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -10828,7 +10828,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10860,7 +10860,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-725 +Index: geneve-ut-0725 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10876,7 +10876,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-726 +Index: geneve-ut-0726 ```python process where event.type == "start" and event.action == "exec" and @@ -10889,7 +10889,7 @@ process where event.type == "start" and event.action == "exec" and Branch count: 2 Document count: 2 -Index: geneve-ut-727 +Index: geneve-ut-0727 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10903,7 +10903,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python file where host.os.type == "linux" and event.type == "deletion" and @@ -10930,7 +10930,7 @@ file where host.os.type == "linux" and event.type == "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-729 +Index: geneve-ut-0729 ```python process where event.type == "start" and @@ -10943,7 +10943,7 @@ process where event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-730 +Index: geneve-ut-0730 ```python process where event.type == "start" and @@ -10956,7 +10956,7 @@ process where event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10973,7 +10973,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-732 +Index: geneve-ut-0732 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10990,7 +10990,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11007,7 +11007,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -11020,7 +11020,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-735 +Index: geneve-ut-0735 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and @@ -11033,7 +11033,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 90 Document count: 90 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python process where event.type in ("start", "process_started") and @@ -11056,7 +11056,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 2 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m @@ -11070,7 +11070,7 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-738 +Index: geneve-ut-0738 ```python file where host.os.type == "windows" and event.type == "deletion" and @@ -11098,7 +11098,7 @@ file where host.os.type == "windows" and event.type == "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python process where event.type == "start" and @@ -11113,7 +11113,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-744 +Index: geneve-ut-0744 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11130,7 +11130,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and @@ -11146,7 +11146,7 @@ file where host.os.type == "windows" and event.type : "change" and process.name Branch count: 2 Document count: 2 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11159,7 +11159,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-747 +Index: geneve-ut-0747 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and @@ -11174,7 +11174,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 1 Document count: 1 -Index: geneve-ut-748 +Index: geneve-ut-0748 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11190,7 +11190,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11205,7 +11205,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-750 +Index: geneve-ut-0750 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11221,7 +11221,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-751 +Index: geneve-ut-0751 ```python event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt @@ -11233,7 +11233,7 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt Branch count: 1 Document count: 1 -Index: geneve-ut-753 +Index: geneve-ut-0753 ```python process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine" @@ -11245,7 +11245,7 @@ process where host.os.type == "macos" and event.type == "start" and process.pare Branch count: 1 Document count: 1 -Index: geneve-ut-756 +Index: geneve-ut-0756 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -11259,7 +11259,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 1 Document count: 1 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11273,7 +11273,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and @@ -11286,7 +11286,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python sequence with maxspan=1h @@ -11304,7 +11304,7 @@ sequence with maxspan=1h Branch count: 18 Document count: 18 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11326,7 +11326,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 29 Document count: 29 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -11399,7 +11399,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 6 Document count: 6 -Index: geneve-ut-766 +Index: geneve-ut-0766 ```python file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and @@ -11413,7 +11413,7 @@ file where host.os.type == "windows" and process.name : "dns.exe" and event.type Branch count: 400 Document count: 800 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python sequence by process.entity_id with maxspan=5m @@ -11475,7 +11475,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 1 Document count: 2 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -11494,7 +11494,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 1 Document count: 2 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -11513,7 +11513,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 24 Document count: 24 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11550,7 +11550,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 32 Document count: 32 -Index: geneve-ut-784 +Index: geneve-ut-0784 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11591,7 +11591,7 @@ process.parent.name != null and Branch count: 8 Document count: 8 -Index: geneve-ut-785 +Index: geneve-ut-0785 ```python registry where host.os.type == "windows" and @@ -11623,7 +11623,7 @@ registry where host.os.type == "windows" and Branch count: 32 Document count: 32 -Index: geneve-ut-786 +Index: geneve-ut-0786 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11646,7 +11646,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11659,7 +11659,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 144 Document count: 288 -Index: geneve-ut-790 +Index: geneve-ut-0790 ```python sequence by process.entity_id @@ -11696,7 +11696,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-804 +Index: geneve-ut-0804 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11711,7 +11711,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-805 +Index: geneve-ut-0805 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success) @@ -11723,7 +11723,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a Branch count: 2 Document count: 2 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success) @@ -11735,7 +11735,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s Branch count: 8 Document count: 8 -Index: geneve-ut-807 +Index: geneve-ut-0807 ```python iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and @@ -11755,7 +11755,7 @@ iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" a Branch count: 1 Document count: 1 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -11769,7 +11769,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 3 Document count: 3 -Index: geneve-ut-809 +Index: geneve-ut-0809 ```python event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and @@ -11814,7 +11814,7 @@ event.dataset: network_traffic.flow and network.transport:tcp and destination.po Branch count: 3 Document count: 3 -Index: geneve-ut-810 +Index: geneve-ut-0810 ```python event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and @@ -11859,7 +11859,7 @@ event.dataset: network_traffic.flow and network.transport:tcp and destination.po Branch count: 10 Document count: 10 -Index: geneve-ut-811 +Index: geneve-ut-0811 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -11877,7 +11877,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-812 +Index: geneve-ut-0812 ```python process where event.type == "start" and @@ -11892,7 +11892,7 @@ process where event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-813 +Index: geneve-ut-0813 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -11909,7 +11909,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-814 +Index: geneve-ut-0814 ```python process where host.os.type == "windows" and event.type == "start" @@ -11923,7 +11923,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 60 Document count: 60 -Index: geneve-ut-815 +Index: geneve-ut-0815 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11939,7 +11939,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-816 +Index: geneve-ut-0816 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11953,7 +11953,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-817 +Index: geneve-ut-0817 ```python sequence by host.id with maxspan = 2s @@ -11982,7 +11982,7 @@ sequence by host.id with maxspan = 2s Branch count: 1 Document count: 1 -Index: geneve-ut-818 +Index: geneve-ut-0818 ```python http.response.status_code:403 and http.request.method:post @@ -11994,7 +11994,7 @@ http.response.status_code:403 and http.request.method:post Branch count: 1 Document count: 1 -Index: geneve-ut-819 +Index: geneve-ut-0819 ```python http.response.status_code:405 @@ -12006,7 +12006,7 @@ http.response.status_code:405 Branch count: 1 Document count: 1 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" @@ -12018,7 +12018,7 @@ user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" Branch count: 42 Document count: 42 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12032,7 +12032,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python event.category:process and host.os.type:macos and event.type:start and @@ -12048,7 +12048,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-823 +Index: geneve-ut-0823 ```python file where event.type == "deletion" and @@ -12065,7 +12065,7 @@ file where event.type == "deletion" and Branch count: 33 Document count: 33 -Index: geneve-ut-824 +Index: geneve-ut-0824 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "whoami.exe" and @@ -12094,7 +12094,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 32 Document count: 32 -Index: geneve-ut-825 +Index: geneve-ut-0825 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12131,7 +12131,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-827 +Index: geneve-ut-0827 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -12164,7 +12164,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 12 Document count: 12 -Index: geneve-ut-828 +Index: geneve-ut-0828 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12179,7 +12179,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-829 +Index: geneve-ut-0829 ```python event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" @@ -12191,7 +12191,7 @@ event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" Branch count: 16 Document count: 16 -Index: geneve-ut-830 +Index: geneve-ut-0830 ```python process where host.os.type == "windows" and event.action == "start" and @@ -12207,7 +12207,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-831 +Index: geneve-ut-0831 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12232,7 +12232,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-832 +Index: geneve-ut-0832 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -12247,7 +12247,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-833 +Index: geneve-ut-0833 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12260,7 +12260,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 216 Document count: 432 -Index: geneve-ut-834 +Index: geneve-ut-0834 ```python sequence by host.id with maxspan = 5s @@ -12300,7 +12300,7 @@ sequence by host.id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-835 +Index: geneve-ut-0835 ```python event.action:"service-installed" and @@ -12313,7 +12313,7 @@ event.action:"service-installed" and Branch count: 2 Document count: 2 -Index: geneve-ut-836 +Index: geneve-ut-0836 ```python registry where host.os.type == "windows" and @@ -12328,7 +12328,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-837 +Index: geneve-ut-0837 ```python process where host.os.type == "windows" and event.type : "start" and @@ -12342,7 +12342,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-838 +Index: geneve-ut-0838 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12370,7 +12370,7 @@ process.parent.executable : ( Branch count: 18 Document count: 18 -Index: geneve-ut-839 +Index: geneve-ut-0839 ```python process where event.type == "start" and @@ -12395,7 +12395,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-840 +Index: geneve-ut-0840 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12409,7 +12409,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-841 +Index: geneve-ut-0841 ```python event.type:creation and event.module:zoom and event.dataset:zoom.webhook and diff --git a/tests/reports/alerts_from_rules-8.7.md b/tests/reports/alerts_from_rules-8.7.md index 29387adf..2747d402 100644 --- a/tests/reports/alerts_from_rules-8.7.md +++ b/tests/reports/alerts_from_rules-8.7.md @@ -18,7 +18,7 @@ Rules version: 8.7.13 Branch count: 2 Document count: 2 -Index: geneve-ut-133 +Index: geneve-ut-0133 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -30,7 +30,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 4 Document count: 4 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -46,7 +46,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-365 +Index: geneve-ut-0365 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -59,7 +59,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -74,7 +74,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4608 Document count: 13824 -Index: geneve-ut-252 +Index: geneve-ut-0252 Failure message(s): got 1000 signals, expected 4608 @@ -97,7 +97,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-510 +Index: geneve-ut-0510 Failure message(s): got 1000 signals, expected 1024 @@ -118,7 +118,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s Branch count: 1024 Document count: 10240 -Index: geneve-ut-513 +Index: geneve-ut-0513 Failure message(s): got 1000 signals, expected 1024 @@ -139,7 +139,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s Branch count: 160 Document count: 480 -Index: geneve-ut-529 +Index: geneve-ut-0529 Failure message(s): got 80 signals, expected 160 @@ -181,7 +181,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 1350 Document count: 1350 -Index: geneve-ut-574 +Index: geneve-ut-0574 Failure message(s): got 1000 signals, expected 1350 @@ -209,7 +209,7 @@ not process.name == "phpquery" Branch count: 2592 Document count: 5184 -Index: geneve-ut-578 +Index: geneve-ut-0578 Failure message(s): got 1000 signals, expected 2592 @@ -229,7 +229,7 @@ sequence by host.id with maxspan=1s Branch count: 2112 Document count: 4224 -Index: geneve-ut-582 +Index: geneve-ut-0582 Failure message(s): got 1000 signals, expected 2112 @@ -257,7 +257,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 2904 Document count: 5808 -Index: geneve-ut-583 +Index: geneve-ut-0583 Failure message(s): got 1000 signals, expected 2904 @@ -285,7 +285,7 @@ sequence by host.id, process.parent.entity_id with maxspan=1s Branch count: 2048 Document count: 22528 -Index: geneve-ut-593 +Index: geneve-ut-0593 Failure message(s): got 1000 signals, expected 2048 @@ -304,7 +304,7 @@ sequence by host.id, source.ip, user.name with maxspan=3s Branch count: 4608 Document count: 4608 -Index: geneve-ut-740 +Index: geneve-ut-0740 Failure message(s): got 1000 signals, expected 4608 @@ -355,7 +355,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1584 Document count: 3168 -Index: geneve-ut-797 +Index: geneve-ut-0797 Failure message(s): got 1000 signals, expected 1584 @@ -397,7 +397,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -419,7 +419,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -449,7 +449,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 1 Document count: 1 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -461,7 +461,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-003 +Index: geneve-ut-0003 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success @@ -473,7 +473,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-0004 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -485,7 +485,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-0005 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -497,7 +497,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-0006 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -509,7 +509,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-0007 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -521,7 +521,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -533,7 +533,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -548,7 +548,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -560,7 +560,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -573,7 +573,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -585,7 +585,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -599,7 +599,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -611,7 +611,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -623,7 +623,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -635,7 +635,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -647,7 +647,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -660,7 +660,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-019 +Index: geneve-ut-0019 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -673,7 +673,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-020 +Index: geneve-ut-0020 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -687,7 +687,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-021 +Index: geneve-ut-0021 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -700,7 +700,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success @@ -712,7 +712,7 @@ event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -724,7 +724,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -736,7 +736,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-026 +Index: geneve-ut-0026 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -748,7 +748,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-027 +Index: geneve-ut-0027 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -760,7 +760,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -772,7 +772,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -784,7 +784,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -796,7 +796,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -808,7 +808,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-033 +Index: geneve-ut-0033 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -820,7 +820,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -832,7 +832,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -844,7 +844,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -856,7 +856,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -868,7 +868,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-038 +Index: geneve-ut-0038 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -880,7 +880,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-039 +Index: geneve-ut-0039 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -892,7 +892,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-040 +Index: geneve-ut-0040 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and @@ -905,7 +905,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -917,7 +917,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-042 +Index: geneve-ut-0042 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -932,7 +932,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-043 +Index: geneve-ut-0043 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -944,7 +944,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-044 +Index: geneve-ut-0044 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -956,7 +956,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-045 +Index: geneve-ut-0045 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -969,7 +969,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -982,7 +982,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -995,7 +995,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1010,7 +1010,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 4 Document count: 4 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or @@ -1023,7 +1023,7 @@ UpdateSAMLProvider) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1036,7 +1036,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 6 Document count: 6 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or @@ -1050,7 +1050,7 @@ RevokeSecurityGroupIngress) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and @@ -1063,7 +1063,7 @@ aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event. Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1075,7 +1075,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1087,7 +1087,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-055 +Index: geneve-ut-0055 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1099,7 +1099,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 1 Document count: 1 -Index: geneve-ut-058 +Index: geneve-ut-0058 ```python event.dataset: network_traffic.flow and event.type: connection @@ -1114,7 +1114,7 @@ event.dataset: network_traffic.flow and event.type: connection Branch count: 26 Document count: 26 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1142,7 +1142,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-060 +Index: geneve-ut-0060 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1180,7 +1180,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python any where event.action == "Directory Service Access" and event.code == "4662" and @@ -1215,7 +1215,7 @@ any where event.action == "Directory Service Access" and event.code == "4662" an Branch count: 2 Document count: 2 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1228,7 +1228,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1244,7 +1244,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-065 +Index: geneve-ut-0065 ```python sequence by winlog.computer_name with maxspan=5m @@ -1271,7 +1271,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-066 +Index: geneve-ut-0066 ```python process where event.type== "start" and event.action == "exec" and @@ -1289,7 +1289,7 @@ process where event.type== "start" and event.action == "exec" and Branch count: 36 Document count: 36 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1309,7 +1309,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-068 +Index: geneve-ut-0068 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1326,7 +1326,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -1339,7 +1339,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1351,7 +1351,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1363,7 +1363,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-073 +Index: geneve-ut-0073 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1378,7 +1378,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1390,7 +1390,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 1 Document count: 1 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python event.agent_id_status:agent_id_mismatch @@ -1402,7 +1402,7 @@ event.agent_id_status:agent_id_mismatch Branch count: 1 Document count: 2 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1421,7 +1421,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1434,7 +1434,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-083 +Index: geneve-ut-0083 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1446,7 +1446,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-084 +Index: geneve-ut-0084 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1461,7 +1461,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 1 Document count: 1 -Index: geneve-ut-085 +Index: geneve-ut-0085 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1473,7 +1473,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 1 Document count: 1 -Index: geneve-ut-086 +Index: geneve-ut-0086 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1485,7 +1485,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-087 +Index: geneve-ut-0087 ```python event.dataset:okta.system and event.action:user.mfa.factor.deactivate @@ -1497,7 +1497,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-088 +Index: geneve-ut-0088 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1509,7 +1509,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-089 +Index: geneve-ut-0089 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1521,7 +1521,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-090 +Index: geneve-ut-0090 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1533,7 +1533,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-091 +Index: geneve-ut-0091 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1545,7 +1545,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-092 +Index: geneve-ut-0092 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1557,7 +1557,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-093 +Index: geneve-ut-0093 ```python event.dataset:okta.system and event.action:zone.delete @@ -1569,7 +1569,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-094 +Index: geneve-ut-0094 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -1581,7 +1581,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-095 +Index: geneve-ut-0095 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -1593,7 +1593,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 2 Document count: 2 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1606,7 +1606,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 17 Document count: 17 -Index: geneve-ut-097 +Index: geneve-ut-0097 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -1633,7 +1633,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-098 +Index: geneve-ut-0098 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -1649,7 +1649,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-099 +Index: geneve-ut-0099 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1662,7 +1662,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-100 +Index: geneve-ut-0100 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1681,7 +1681,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-101 +Index: geneve-ut-0101 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1696,7 +1696,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-102 +Index: geneve-ut-0102 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -1708,7 +1708,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -1720,7 +1720,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -1732,7 +1732,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -1744,7 +1744,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-106 +Index: geneve-ut-0106 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1763,7 +1763,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-107 +Index: geneve-ut-0107 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1781,7 +1781,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -1793,7 +1793,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -1805,7 +1805,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1818,7 +1818,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -1830,7 +1830,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 2 Document count: 2 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.pem*", "*.id_rsa*") and @@ -1850,7 +1850,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 1 Document count: 1 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -1865,7 +1865,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -1879,7 +1879,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-117 +Index: geneve-ut-0117 ```python event.dataset:azure.signinlogs and @@ -1893,7 +1893,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python event.dataset:azure.signinlogs and @@ -1906,7 +1906,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python event.dataset:azure.signinlogs and @@ -1920,7 +1920,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -1933,7 +1933,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -1945,7 +1945,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-122 +Index: geneve-ut-0122 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -1957,7 +1957,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:azure.activitylogs and @@ -1976,7 +1976,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:azure.activitylogs and @@ -1990,7 +1990,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python event.dataset:azure.activitylogs and @@ -2008,7 +2008,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2020,7 +2020,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2035,7 +2035,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-128 +Index: geneve-ut-0128 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2047,7 +2047,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-129 +Index: geneve-ut-0129 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2060,7 +2060,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-130 +Index: geneve-ut-0130 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2072,7 +2072,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-131 +Index: geneve-ut-0131 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2084,7 +2084,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-132 +Index: geneve-ut-0132 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2096,7 +2096,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2108,7 +2108,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2120,7 +2120,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2138,7 +2138,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-138 +Index: geneve-ut-0138 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2150,7 +2150,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2163,7 +2163,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2176,7 +2176,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2191,7 +2191,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2203,7 +2203,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2215,7 +2215,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2227,7 +2227,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2239,7 +2239,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2251,7 +2251,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2263,7 +2263,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2281,7 +2281,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" @@ -2293,7 +2293,7 @@ process where host.os.type == "linux" and event.type != "end" and process.execut Branch count: 8 Document count: 8 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -2306,7 +2306,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 9 Document count: 9 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python event.category:file and event.type:change and @@ -2341,7 +2341,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2356,7 +2356,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2371,7 +2371,7 @@ user.id == "0" Branch count: 13 Document count: 13 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2393,7 +2393,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python file where event.action : "creation" and @@ -2417,7 +2417,7 @@ file where event.action : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2435,7 +2435,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2451,7 +2451,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 24 Document count: 24 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2467,7 +2467,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2489,7 +2489,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2503,7 +2503,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -2520,7 +2520,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 12 Document count: 12 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -2540,7 +2540,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python sequence by process.entity_id @@ -2560,7 +2560,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-165 +Index: geneve-ut-0165 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2577,7 +2577,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 56 Document count: 56 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python registry where host.os.type == "windows" and @@ -2629,7 +2629,7 @@ registry where host.os.type == "windows" and Branch count: 12 Document count: 12 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python library where @@ -2658,7 +2658,7 @@ library where Branch count: 24 Document count: 24 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -2683,7 +2683,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-171 +Index: geneve-ut-0171 ```python sequence by process.entity_id @@ -2703,7 +2703,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-172 +Index: geneve-ut-0172 ```python sequence by process.entity_id @@ -2723,7 +2723,7 @@ sequence by process.entity_id Branch count: 24 Document count: 24 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2749,7 +2749,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -2769,7 +2769,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -2782,7 +2782,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" @@ -2794,7 +2794,7 @@ file where host.os.type == "linux" and event.type == "creation" and file.extensi Branch count: 2 Document count: 2 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python file where event.type in ("change", "creation") and host.os.type == "linux" and @@ -2807,7 +2807,7 @@ file.path : "/lib/modules/*" and file.name : "*.ko" Branch count: 1 Document count: 1 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -2820,7 +2820,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python registry where host.os.type == "windows" and registry.path : ( @@ -2835,7 +2835,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 2 Document count: 2 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -2847,7 +2847,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 16 Document count: 16 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -2880,7 +2880,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 2 Document count: 2 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -2895,7 +2895,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2910,7 +2910,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2922,7 +2922,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2934,7 +2934,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2946,7 +2946,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2958,7 +2958,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-190 +Index: geneve-ut-0190 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -2970,7 +2970,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python event.dataset:cyberarkpas.audit and @@ -2985,7 +2985,7 @@ event.dataset:cyberarkpas.audit and Branch count: 4 Document count: 4 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -3003,7 +3003,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 3 Document count: 3 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python event.dataset: network_traffic.tls and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or @@ -3017,7 +3017,7 @@ event.dataset: network_traffic.tls and (tls.server.hash.md5:950098276A495286EB2A Branch count: 2 Document count: 2 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3031,7 +3031,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3045,7 +3045,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined) @@ -3057,7 +3057,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python process where host.os.type == "linux" and event.action == "exec" and process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*") @@ -3069,7 +3069,7 @@ process where host.os.type == "linux" and event.action == "exec" and process.env Branch count: 4 Document count: 8 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python sequence by process.entity_id @@ -3096,7 +3096,7 @@ sequence by process.entity_id Branch count: 12 Document count: 12 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3118,7 +3118,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3135,7 +3135,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3157,7 +3157,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3171,7 +3171,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python process where event.type : ("start", "process_started") and host.os.type == "linux" and @@ -3186,7 +3186,7 @@ process where event.type : ("start", "process_started") and host.os.type == "li Branch count: 3 Document count: 3 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3200,7 +3200,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3212,7 +3212,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3225,7 +3225,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3237,7 +3237,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 8 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python sequence by process.entity_id with maxspan=1m @@ -3252,7 +3252,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 3 Document count: 3 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python process where host.os.type == "linux" and event.type == "start" and process.name : "find" and @@ -3265,7 +3265,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 27 Document count: 27 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3279,7 +3279,7 @@ process.args in ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", Branch count: 3 Document count: 3 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3292,7 +3292,7 @@ process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/ Branch count: 2 Document count: 2 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -3304,7 +3304,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 201 Document count: 201 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python process where @@ -3335,7 +3335,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-217 +Index: geneve-ut-0217 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3348,7 +3348,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3362,7 +3362,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python registry where host.os.type == "windows" and @@ -3376,7 +3376,7 @@ registry where host.os.type == "windows" and Branch count: 34 Document count: 34 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3400,7 +3400,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-221 +Index: geneve-ut-0221 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -3412,7 +3412,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 2 Document count: 2 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3426,7 +3426,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3442,7 +3442,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3480,7 +3480,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 64 Document count: 64 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3505,7 +3505,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python file where host.os.type == "linux" and event.action == "opened-file" and file.path == "/proc/modules" and not @@ -3521,7 +3521,7 @@ file where host.os.type == "linux" and event.action == "opened-file" and file.pa Branch count: 4 Document count: 4 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python iam where event.action == "user-member-enumerated" and @@ -3578,7 +3578,7 @@ iam where event.action == "user-member-enumerated" and Branch count: 46 Document count: 46 -Index: geneve-ut-229 +Index: geneve-ut-0229 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -3608,7 +3608,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 7 Document count: 7 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python event.category:process and host.os.type:windows and @@ -3623,7 +3623,7 @@ event.category:process and host.os.type:windows and Branch count: 2 Document count: 2 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3642,7 +3642,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python sequence with maxspan=2h @@ -3665,7 +3665,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python sequence with maxspan=2h @@ -3690,7 +3690,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -3719,7 +3719,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-237 +Index: geneve-ut-0237 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3737,7 +3737,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -3749,7 +3749,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -3772,7 +3772,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 1 Document count: 1 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -3784,7 +3784,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 4 Document count: 4 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python process where host.os.type == "windows" and event.type : "start" and @@ -3809,7 +3809,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -3821,7 +3821,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -3835,7 +3835,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -3848,7 +3848,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3860,7 +3860,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-246 +Index: geneve-ut-0246 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3872,7 +3872,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3886,7 +3886,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -3898,7 +3898,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 19 Document count: 19 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3949,7 +3949,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 1 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python file where host.os.type == "windows" and event.code : "2" and @@ -3978,7 +3978,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 4 Document count: 4 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.category:process and host.os.type:linux and event.type:start and process.name:shred and @@ -3991,7 +3991,7 @@ process.args:("-u" or "--remove" or "-z" or "--zero") and not process.parent.nam Branch count: 12 Document count: 12 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python process where host.os.type == "linux" and event.type == "start"and @@ -4007,7 +4007,7 @@ process where host.os.type == "linux" and event.type == "start"and Branch count: 1 Document count: 1 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -4022,7 +4022,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 375 Document count: 750 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python sequence by process.entity_id @@ -4049,7 +4049,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4067,7 +4067,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python process where host.os.type == "linux" and event.type == "start" and user.name == "root" and @@ -4081,7 +4081,7 @@ process where host.os.type == "linux" and event.type == "start" and user.name == Branch count: 11 Document count: 11 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4107,7 +4107,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4133,7 +4133,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python event.dataset: google_workspace.alert @@ -4145,7 +4145,7 @@ event.dataset: google_workspace.alert Branch count: 4 Document count: 4 -Index: geneve-ut-268 +Index: geneve-ut-0268 ```python registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" and @@ -4159,7 +4159,7 @@ registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Mi Branch count: 2 Document count: 2 -Index: geneve-ut-269 +Index: geneve-ut-0269 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4171,7 +4171,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4183,7 +4183,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4195,7 +4195,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4207,7 +4207,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -4219,7 +4219,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -4231,7 +4231,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -4243,7 +4243,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-276 +Index: geneve-ut-0276 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -4255,7 +4255,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-277 +Index: geneve-ut-0277 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -4267,7 +4267,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -4279,7 +4279,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-279 +Index: geneve-ut-0279 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -4291,7 +4291,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-280 +Index: geneve-ut-0280 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -4303,7 +4303,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -4315,7 +4315,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -4327,7 +4327,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -4339,7 +4339,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -4351,7 +4351,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-285 +Index: geneve-ut-0285 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -4363,7 +4363,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -4375,7 +4375,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -4387,7 +4387,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -4399,7 +4399,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -4411,7 +4411,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -4423,7 +4423,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -4435,7 +4435,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python configuration where event.dataset == "github.audit" @@ -4448,7 +4448,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -4460,7 +4460,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -4473,7 +4473,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -4485,7 +4485,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS @@ -4497,7 +4497,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -4510,7 +4510,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -4522,7 +4522,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4535,7 +4535,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-300 +Index: geneve-ut-0300 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -4547,7 +4547,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -4560,7 +4560,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-302 +Index: geneve-ut-0302 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -4577,7 +4577,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-303 +Index: geneve-ut-0303 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -4591,7 +4591,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-304 +Index: geneve-ut-0304 ```python sequence by source.user.email with maxspan=3m @@ -4615,7 +4615,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -4636,7 +4636,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4650,7 +4650,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -4662,7 +4662,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-308 +Index: geneve-ut-0308 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -4674,7 +4674,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -4687,7 +4687,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-311 +Index: geneve-ut-0311 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4700,7 +4700,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python file where event.type : "creation" and process.name : "chflags" @@ -4712,7 +4712,7 @@ file where event.type : "creation" and process.name : "chflags" Branch count: 1 Document count: 2 -Index: geneve-ut-317 +Index: geneve-ut-0317 ```python sequence by process.entity_id with maxspan=5m @@ -4729,7 +4729,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python any where @@ -4756,7 +4756,7 @@ any where Branch count: 3 Document count: 3 -Index: geneve-ut-319 +Index: geneve-ut-0319 ```python process where host.os.type == "linux" and event.type == "start" @@ -4769,7 +4769,7 @@ and process.name in ("hping", "hping2", "hping3") Branch count: 2 Document count: 2 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4784,7 +4784,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python event.dataset: network_traffic.flow and network.transport:udp and destination.port:4500 @@ -4796,7 +4796,7 @@ event.dataset: network_traffic.flow and network.transport:udp and destination.po Branch count: 8 Document count: 8 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4813,7 +4813,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python sequence with maxspan=1m @@ -4832,7 +4832,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python sequence by host.id with maxspan=1m @@ -4850,7 +4850,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python sequence by host.id with maxspan=5s @@ -4869,7 +4869,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python sequence by host.id with maxspan = 30s @@ -4885,7 +4885,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python sequence by host.id with maxspan=30s @@ -4901,7 +4901,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4914,7 +4914,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-332 +Index: geneve-ut-0332 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4927,7 +4927,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-333 +Index: geneve-ut-0333 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -4943,7 +4943,7 @@ sequence by process.entity_id Branch count: 4 Document count: 8 -Index: geneve-ut-334 +Index: geneve-ut-0334 ```python sequence by process.entity_id with maxspan = 5m @@ -4959,7 +4959,7 @@ sequence by process.entity_id with maxspan = 5m Branch count: 4 Document count: 4 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python registry where host.os.type == "windows" and @@ -4978,7 +4978,7 @@ registry where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -4991,7 +4991,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -5009,7 +5009,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 1 Document count: 1 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python event.action:modified-user-account and event.code:4738 and @@ -5022,7 +5022,7 @@ event.action:modified-user-account and event.code:4738 and Branch count: 2 Document count: 2 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -5036,7 +5036,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python network where host.os.type == "windows" and event.type == "start" and network.direction : ("outgoing", "egress") and @@ -5084,7 +5084,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 6 Document count: 6 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and @@ -5097,7 +5097,7 @@ process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") Branch count: 21 Document count: 21 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python process where host.os.type == "linux" and event.action == "exec" and process.name == "rmmod" or @@ -5111,7 +5111,7 @@ process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh Branch count: 1 Document count: 1 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" @@ -5123,7 +5123,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 16 Document count: 16 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python process where host.os.type == "macos" and event.type == "start" and @@ -5138,7 +5138,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -5150,7 +5150,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-347 +Index: geneve-ut-0347 ```python event.dataset:kubernetes.audit_logs @@ -5165,7 +5165,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-349 +Index: geneve-ut-0349 ```python event.dataset: "kubernetes.audit_logs" @@ -5179,7 +5179,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-350 +Index: geneve-ut-0350 ```python event.dataset : "kubernetes.audit_logs" @@ -5195,7 +5195,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-351 +Index: geneve-ut-0351 ```python event.dataset : "kubernetes.audit_logs" @@ -5212,7 +5212,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-352 +Index: geneve-ut-0352 ```python event.dataset : "kubernetes.audit_logs" @@ -5229,7 +5229,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-353 +Index: geneve-ut-0353 ```python event.dataset : "kubernetes.audit_logs" @@ -5246,7 +5246,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-354 +Index: geneve-ut-0354 ```python event.dataset : "kubernetes.audit_logs" @@ -5279,7 +5279,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-355 +Index: geneve-ut-0355 ```python event.dataset : "kubernetes.audit_logs" @@ -5296,7 +5296,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-356 +Index: geneve-ut-0356 ```python event.dataset : "kubernetes.audit_logs" @@ -5313,7 +5313,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-357 +Index: geneve-ut-0357 ```python event.dataset : "kubernetes.audit_logs" @@ -5330,7 +5330,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-358 +Index: geneve-ut-0358 ```python event.dataset : "kubernetes.audit_logs" @@ -5346,7 +5346,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-359 +Index: geneve-ut-0359 ```python file where host.os.type == "windows" and file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdmp", "Coredump.dmp") and @@ -5365,7 +5365,7 @@ file where host.os.type == "windows" and file.name : ("lsass*.dmp", "dumpert.dmp Branch count: 18 Document count: 18 -Index: geneve-ut-360 +Index: geneve-ut-0360 ```python any where event.action == "File System" and event.code == "4656" and @@ -5399,7 +5399,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 2 Document count: 2 -Index: geneve-ut-361 +Index: geneve-ut-0361 ```python api where host.os.type == "windows" and @@ -5437,7 +5437,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-362 +Index: geneve-ut-0362 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5455,7 +5455,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-363 +Index: geneve-ut-0363 ```python sequence by host.id with maxspan=1m @@ -5471,7 +5471,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-364 +Index: geneve-ut-0364 ```python sequence by host.id with maxspan=1m @@ -5485,7 +5485,7 @@ sequence by host.id with maxspan=1m Branch count: 81 Document count: 81 -Index: geneve-ut-366 +Index: geneve-ut-0366 ```python process where host.os.type == "linux" and event.type == "start" and @@ -5547,7 +5547,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-367 +Index: geneve-ut-0367 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -5562,7 +5562,7 @@ process.args != "1" Branch count: 16 Document count: 16 -Index: geneve-ut-368 +Index: geneve-ut-0368 ```python process where event.type == "start" and @@ -5579,7 +5579,7 @@ process where event.type == "start" and Branch count: 60 Document count: 60 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python process where host.os.type == "linux" and event.type == "start" and @@ -5599,7 +5599,7 @@ process.args in ("root", "admin", "wheel", "staff", "sudo", Branch count: 4 Document count: 4 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python registry where host.os.type == "windows" and registry.path : ( @@ -5614,7 +5614,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 600 Document count: 1200 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python sequence with maxspan=1m @@ -5639,7 +5639,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -5651,7 +5651,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 96 Document count: 96 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5675,7 +5675,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 48 Document count: 96 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python sequence by host.id, user.id with maxspan=30s @@ -5689,7 +5689,7 @@ sequence by host.id, user.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -5701,7 +5701,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -5713,7 +5713,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -5725,7 +5725,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -5737,7 +5737,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -5749,7 +5749,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -5761,7 +5761,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -5773,7 +5773,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -5785,7 +5785,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -5797,7 +5797,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -5809,7 +5809,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -5821,7 +5821,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -5833,7 +5833,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -5845,7 +5845,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -5858,7 +5858,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -5877,7 +5877,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -5889,7 +5889,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -5904,7 +5904,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -5918,7 +5918,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -5932,7 +5932,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -5944,7 +5944,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -5956,7 +5956,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 3 Document count: 3 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5970,7 +5970,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5984,7 +5984,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5998,7 +5998,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6019,7 +6019,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6033,7 +6033,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-404 +Index: geneve-ut-0404 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6052,7 +6052,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -6077,7 +6077,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python event.category: "process" and host.os.type:windows and @@ -6095,7 +6095,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6110,7 +6110,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6124,7 +6124,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6138,7 +6138,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 30 Document count: 30 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6178,7 +6178,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 1 Document count: 1 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -6190,7 +6190,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 12 Document count: 12 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6208,7 +6208,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 4 Document count: 4 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6225,7 +6225,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and @@ -6238,7 +6238,7 @@ event.action:(updated or renamed or rename) Branch count: 1 Document count: 1 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python event.category:process and host.os.type:macos and event.type:start and @@ -6263,7 +6263,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python event.category:file and host.os.type:linux and event.type:change and @@ -6281,7 +6281,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python event.category:process and host.os.type:macos and event.type:start and @@ -6303,7 +6303,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 4 Document count: 4 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python event.category:file and event.type:change and @@ -6343,7 +6343,7 @@ event.category:file and event.type:change and Branch count: 16 Document count: 16 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -6360,7 +6360,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 1 Document count: 1 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -6374,7 +6374,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 2 Document count: 2 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -6386,7 +6386,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 1 Document count: 1 -Index: geneve-ut-422 +Index: geneve-ut-0422 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6400,7 +6400,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6419,7 +6419,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-424 +Index: geneve-ut-0424 ```python sequence by process.entity_id @@ -6434,7 +6434,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python sequence by process.entity_id with maxspan=10m @@ -6452,7 +6452,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -6464,7 +6464,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-429 +Index: geneve-ut-0429 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -6489,7 +6489,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-430 +Index: geneve-ut-0430 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -6515,7 +6515,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-431 +Index: geneve-ut-0431 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -6539,7 +6539,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 84 Document count: 84 -Index: geneve-ut-433 +Index: geneve-ut-0433 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6558,7 +6558,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-434 +Index: geneve-ut-0434 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -6573,7 +6573,7 @@ not process.args : "/usr/bin/snap" Branch count: 2 Document count: 2 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python registry where event.type == "change" and @@ -6589,7 +6589,7 @@ registry where event.type == "change" and Branch count: 2 Document count: 4 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -6605,7 +6605,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 2 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python sequence by process.entity_id @@ -6625,7 +6625,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python sequence by process.entity_id @@ -6644,7 +6644,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python sequence by process.entity_id @@ -6663,7 +6663,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-440 +Index: geneve-ut-0440 ```python sequence by host.id with maxspan=1m @@ -6680,7 +6680,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-441 +Index: geneve-ut-0441 ```python sequence by process.entity_id @@ -6705,7 +6705,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-442 +Index: geneve-ut-0442 ```python sequence by process.entity_id @@ -6727,7 +6727,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python registry where host.os.type == "windows" and registry.data.strings != null and @@ -6750,7 +6750,7 @@ registry where host.os.type == "windows" and registry.data.strings != null and Branch count: 2 Document count: 2 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -6766,7 +6766,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6779,7 +6779,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -6793,7 +6793,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "nping" @@ -6805,7 +6805,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 1 Document count: 1 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -6817,7 +6817,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -6831,7 +6831,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -6843,7 +6843,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -6856,7 +6856,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-458 +Index: geneve-ut-0458 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -6868,7 +6868,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -6880,7 +6880,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -6892,7 +6892,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 36 Document count: 72 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -6907,7 +6907,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-463 +Index: geneve-ut-0463 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6921,7 +6921,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -6933,7 +6933,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -6945,7 +6945,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6963,7 +6963,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -6976,7 +6976,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -6990,7 +6990,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 66 Document count: 132 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python sequence by host.id with maxspan=5s @@ -7006,7 +7006,7 @@ sequence by host.id with maxspan=5s Branch count: 12 Document count: 12 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python /* Registry Path ends with backslash */ @@ -7031,7 +7031,7 @@ registry where host.os.type == "windows" and /* length(registry.data.strings) > Branch count: 32 Document count: 32 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -7057,7 +7057,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python process where host.os.type == "macos" and event.type == "start" and @@ -7077,7 +7077,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-473 +Index: geneve-ut-0473 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7096,7 +7096,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7109,7 +7109,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7125,7 +7125,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7138,7 +7138,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7157,7 +7157,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7185,7 +7185,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7200,7 +7200,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python registry where host.os.type == "windows" and @@ -7263,7 +7263,7 @@ registry where host.os.type == "windows" and Branch count: 7 Document count: 7 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and @@ -7286,7 +7286,7 @@ file where host.os.type == "windows" and event.type != "deletion" and user.domai Branch count: 2 Document count: 2 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python registry where host.os.type == "windows" and registry.path : ( @@ -7301,7 +7301,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -7319,7 +7319,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -7331,7 +7331,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 1 Document count: 3 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python sequence by user.email with maxspan=10m @@ -7346,7 +7346,7 @@ sequence by user.email with maxspan=10m Branch count: 16 Document count: 16 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -7359,7 +7359,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -7373,7 +7373,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 8 -Index: geneve-ut-490 +Index: geneve-ut-0490 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and @@ -7389,7 +7389,7 @@ event.type == "start" and user.name == "postgres" and ( Branch count: 2 Document count: 6 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python sequence by host.id, user.name with maxspan = 5s @@ -7418,7 +7418,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 63 Document count: 63 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python process where event.type in ("start", "process_started", "info") and @@ -7442,7 +7442,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 6 Document count: 6 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python any where event.action == "Directory Service Access" and @@ -7474,7 +7474,7 @@ any where event.action == "Directory Service Access" and Branch count: 1 Document count: 1 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python process where host.os.type == "windows" and event.code == "10" and @@ -7492,7 +7492,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python process where host.os.type == "windows" and event.code == "10" and @@ -7511,7 +7511,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 4 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python sequence by process.entity_id with maxspan=1m @@ -7529,7 +7529,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python sequence by process.entity_id @@ -7544,7 +7544,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python any where processor.name == "transaction" and @@ -7558,7 +7558,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7579,7 +7579,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-501 +Index: geneve-ut-0501 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7600,7 +7600,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7613,7 +7613,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python process where event.action == "exec" and process.parent.name =="proot" and host.os.type == "linux" @@ -7625,7 +7625,7 @@ process where event.action == "exec" and process.parent.name =="proot" and host Branch count: 2 Document count: 2 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( @@ -7640,7 +7640,7 @@ process where host.os.type == "linux" and event.action == "exec" and event.type Branch count: 2 Document count: 2 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0 @@ -7652,7 +7652,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-507 +Index: geneve-ut-0507 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7665,7 +7665,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-508 +Index: geneve-ut-0508 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7678,7 +7678,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -7691,7 +7691,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-512 +Index: geneve-ut-0512 ```python process where host.os.type == "linux" and process.name == "mount" and event.action == "exec" and @@ -7704,7 +7704,7 @@ process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2* Branch count: 60 Document count: 120 -Index: geneve-ut-515 +Index: geneve-ut-0515 ```python sequence by host.id with maxspan=1m @@ -7740,7 +7740,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7753,7 +7753,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7771,7 +7771,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -7785,7 +7785,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 16 Document count: 32 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python sequence by host.id with maxspan=30s @@ -7803,7 +7803,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python process where host.os.type == "linux" and event.type == "start" and @@ -7817,7 +7817,7 @@ process.args : "-u" and process.args : "0" and process.args : "-o" Branch count: 3 Document count: 6 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python sequence by process.parent.name,host.name with maxspan=1m @@ -7834,7 +7834,7 @@ sequence by process.parent.name,host.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python process where host.os.type == "linux" and process.name == "unshadow" and @@ -7847,7 +7847,7 @@ process where host.os.type == "linux" and process.name == "unshadow" and Branch count: 1 Document count: 10 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -7863,7 +7863,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 36 Document count: 36 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -7877,7 +7877,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 229 Document count: 229 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (( @@ -7902,7 +7902,7 @@ process where host.os.type == "linux" and event.action == "exec" and event.type Branch count: 6 Document count: 6 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7921,7 +7921,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 160 Document count: 160 -Index: geneve-ut-530 +Index: geneve-ut-0530 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8017,7 +8017,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-531 +Index: geneve-ut-0531 ```python process where host.os.type == "windows" and @@ -8155,7 +8155,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python process where host.os.type == "windows" and @@ -8226,7 +8226,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python library where host.os.type == "windows" and event.action == "load" and @@ -8243,7 +8243,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 1 Document count: 1 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -8255,7 +8255,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-538 +Index: geneve-ut-0538 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8295,7 +8295,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 8 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -8313,7 +8313,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4 Document count: 4 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python network where process.name : ("http", "https") @@ -8328,7 +8328,7 @@ network where process.name : ("http", "https") Branch count: 2 Document count: 4 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python sequence by process.entity_id with maxspan=1m @@ -8347,7 +8347,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -8387,7 +8387,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 1 Document count: 1 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python network where host.os.type == "windows" and @@ -8402,7 +8402,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8415,7 +8415,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8430,7 +8430,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8443,7 +8443,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-554 +Index: geneve-ut-0554 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -8460,7 +8460,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 8 Document count: 8 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -8480,7 +8480,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 696 Document count: 696 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python event.category:process and host.os.type:windows and @@ -8672,7 +8672,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-557 +Index: geneve-ut-0557 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -8688,7 +8688,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -8702,7 +8702,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-559 +Index: geneve-ut-0559 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -8719,7 +8719,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( @@ -8735,7 +8735,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 8 Document count: 8 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python /* This rule is compatible with both Sysmon and Elastic Endpoint */ @@ -8758,7 +8758,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 6 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -8774,7 +8774,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -8786,7 +8786,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 6 Document count: 24 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python sequence by host.id with maxspan=1m @@ -8806,7 +8806,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -8818,7 +8818,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python iam where event.action == "renamed-user-account" and @@ -8832,7 +8832,7 @@ iam where event.action == "renamed-user-account" and Branch count: 1 Document count: 2 -Index: geneve-ut-568 +Index: geneve-ut-0568 ```python sequence with maxspan=5s @@ -8852,7 +8852,7 @@ sequence with maxspan=5s Branch count: 36 Document count: 72 -Index: geneve-ut-570 +Index: geneve-ut-0570 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -8872,7 +8872,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-572 +Index: geneve-ut-0572 ```python process where host.os.type == "linux" and event.type == "start" and @@ -8885,7 +8885,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-575 +Index: geneve-ut-0575 ```python file where host.os.type == "windows" and @@ -8900,7 +8900,7 @@ file where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-576 +Index: geneve-ut-0576 ```python /* Identifies the modification of RDP Shadow registry or @@ -8927,7 +8927,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-577 +Index: geneve-ut-0577 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8942,7 +8942,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 80 Document count: 80 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python process where event.type in ("start", "process_started") and @@ -8961,7 +8961,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 64 -Index: geneve-ut-580 +Index: geneve-ut-0580 ```python sequence by host.id with maxspan=5s @@ -8979,7 +8979,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -8991,7 +8991,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 1 Document count: 1 -Index: geneve-ut-587 +Index: geneve-ut-0587 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -9005,7 +9005,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 32 Document count: 96 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -9033,7 +9033,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by host.id with maxspan=1s @@ -9052,7 +9052,7 @@ sequence by host.id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -9065,7 +9065,7 @@ process.name == "sudo" and process.args == "-u#-1" Branch count: 1 Document count: 2 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -9081,7 +9081,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 2 Document count: 2 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and @@ -9095,7 +9095,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 96 Document count: 96 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python file where event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -9125,7 +9125,7 @@ file.path : ( Branch count: 4 Document count: 4 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and @@ -9138,7 +9138,7 @@ process.name in ("chown", "chmod") and process.args == "-R" and process.args : " Branch count: 8 Document count: 16 -Index: geneve-ut-601 +Index: geneve-ut-0601 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -9154,7 +9154,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 21 Document count: 21 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python event.category:process and host.os.type:windows and @@ -9179,7 +9179,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python event.category:process and host.os.type:windows and @@ -9197,7 +9197,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python event.category:process and host.os.type:windows and @@ -9220,7 +9220,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -9232,7 +9232,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python event.category:process and host.os.type:windows and @@ -9255,7 +9255,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9271,7 +9271,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python event.category:process and host.os.type:windows and @@ -9310,7 +9310,7 @@ event.category:process and host.os.type:windows and Branch count: 2 Document count: 2 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9324,7 +9324,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -9338,7 +9338,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -9351,7 +9351,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 4 Document count: 4 -Index: geneve-ut-628 +Index: geneve-ut-0628 ```python registry where host.os.type == "windows" and registry.path : ( @@ -9369,7 +9369,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -9386,7 +9386,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9400,7 +9400,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 96 Document count: 96 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -9475,7 +9475,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python sequence by winlog.computer_name with maxspan=1m @@ -9496,7 +9496,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9515,7 +9515,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 66 Document count: 66 -Index: geneve-ut-636 +Index: geneve-ut-0636 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9553,7 +9553,7 @@ process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Wind Branch count: 2 Document count: 2 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -9565,7 +9565,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -9577,7 +9577,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" @@ -9589,7 +9589,7 @@ process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemote Branch count: 3 Document count: 6 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python sequence by host.id with maxspan=5s @@ -9613,7 +9613,7 @@ sequence by host.id with maxspan=5s Branch count: 2 Document count: 2 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python process where event.type in ("start", "process_started") and process.name : "* " @@ -9625,7 +9625,7 @@ process where event.type in ("start", "process_started") and process.name : "* Branch count: 1 Document count: 1 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9639,7 +9639,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-644 +Index: geneve-ut-0644 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -9652,7 +9652,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "proxychains" @@ -9664,7 +9664,7 @@ process where host.os.type == "linux" and event.action == "exec" and event.type Branch count: 1 Document count: 2 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python sequence by process.entity_id @@ -9688,7 +9688,7 @@ sequence by process.entity_id Branch count: 46 Document count: 46 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9711,7 +9711,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python registry where host.os.type == "windows" and @@ -9732,7 +9732,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -9744,7 +9744,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-653 +Index: geneve-ut-0653 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -9756,7 +9756,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-656 +Index: geneve-ut-0656 ```python registry where host.os.type == "windows" and @@ -9773,7 +9773,7 @@ registry where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python registry where host.os.type == "windows" and @@ -9795,7 +9795,7 @@ registry where host.os.type == "windows" and Branch count: 18 Document count: 18 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9810,7 +9810,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-660 +Index: geneve-ut-0660 ```python sequence with maxspan=1m @@ -9824,7 +9824,7 @@ sequence with maxspan=1m Branch count: 16 Document count: 16 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9838,7 +9838,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -9851,7 +9851,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9865,7 +9865,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9879,7 +9879,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -9896,7 +9896,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python sequence by host.id, process.entity_id @@ -9912,7 +9912,7 @@ sequence by host.id, process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python /* Network Logon followed by Scheduled Task creation */ @@ -9932,7 +9932,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9947,7 +9947,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -9966,7 +9966,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 12 Document count: 12 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9987,7 +9987,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -10029,7 +10029,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 8 Document count: 16 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python sequence with maxspan=1s @@ -10076,7 +10076,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-673 +Index: geneve-ut-0673 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10089,7 +10089,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-675 +Index: geneve-ut-0675 ```python event.dataset: (network_traffic.http or network_traffic.tls) and @@ -10135,7 +10135,7 @@ event.dataset: (network_traffic.http or network_traffic.tls) and Branch count: 4 Document count: 4 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -10154,7 +10154,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 8 Document count: 8 -Index: geneve-ut-679 +Index: geneve-ut-0679 ```python event.category:file and event.type:(change or creation) and @@ -10180,7 +10180,7 @@ event.category:file and event.type:(change or creation) and Branch count: 12 Document count: 12 -Index: geneve-ut-680 +Index: geneve-ut-0680 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10196,7 +10196,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 60 Document count: 120 -Index: geneve-ut-682 +Index: geneve-ut-0682 ```python sequence by host.id with maxspan = 30s @@ -10215,7 +10215,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 4 -Index: geneve-ut-684 +Index: geneve-ut-0684 ```python registry where host.os.type == "windows" and @@ -10231,7 +10231,7 @@ registry where host.os.type == "windows" and Branch count: 27 Document count: 27 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -10272,7 +10272,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -10306,7 +10306,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10320,7 +10320,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-688 +Index: geneve-ut-0688 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10334,7 +10334,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 58 Document count: 58 -Index: geneve-ut-689 +Index: geneve-ut-0689 ```python process where event.type == "start" and @@ -10380,7 +10380,7 @@ process.name : "grep" and user.id != "0" and Branch count: 135 Document count: 135 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python event.category:process and host.os.type:linux and event.type:start and @@ -10423,7 +10423,7 @@ event.category:process and host.os.type:linux and event.type:start and Branch count: 1 Document count: 1 -Index: geneve-ut-691 +Index: geneve-ut-0691 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -10436,7 +10436,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 16 Document count: 32 -Index: geneve-ut-692 +Index: geneve-ut-0692 ```python sequence by process.entity_id with maxspan = 1m @@ -10453,7 +10453,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -10473,7 +10473,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-694 +Index: geneve-ut-0694 ```python sequence by winlog.computer_name with maxspan=5m @@ -10497,7 +10497,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-695 +Index: geneve-ut-0695 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10517,7 +10517,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10540,7 +10540,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python process where event.type == "start" and @@ -10553,7 +10553,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -10565,7 +10565,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 6 Document count: 12 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python sequence by host.id with maxspan=5s @@ -10579,7 +10579,7 @@ sequence by host.id with maxspan=5s Branch count: 18 Document count: 18 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -10599,7 +10599,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python process where host.os.type == "windows" and event.type == "start" @@ -10613,7 +10613,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 4 Document count: 4 -Index: geneve-ut-704 +Index: geneve-ut-0704 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -10627,7 +10627,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 28 Document count: 28 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python registry where host.os.type == "windows" and registry.path : ( @@ -10651,7 +10651,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 12 Document count: 24 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -10676,7 +10676,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -10709,7 +10709,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-717 +Index: geneve-ut-0717 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -10734,7 +10734,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10749,7 +10749,7 @@ not group.Ext.real.id : "0" and not user.Ext.real.id : "0" Branch count: 2 Document count: 2 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) @@ -10761,7 +10761,7 @@ event.category:file and event.type:change and file.path:(/etc/sudoers* or /priva Branch count: 16 Document count: 16 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10775,7 +10775,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-722 +Index: geneve-ut-0722 ```python event.category:process and host.os.type:windows and @@ -10800,7 +10800,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-723 +Index: geneve-ut-0723 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -10812,7 +10812,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 2 Document count: 2 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python file where host.os.type == "windows" and event.action != "deletion" and file.path != null and @@ -10825,7 +10825,7 @@ file where host.os.type == "windows" and event.action != "deletion" and file.pat Branch count: 2 Document count: 4 -Index: geneve-ut-725 +Index: geneve-ut-0725 ```python sequence by host.id with maxspan=30s @@ -10839,7 +10839,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-726 +Index: geneve-ut-0726 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -10869,7 +10869,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-727 +Index: geneve-ut-0727 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -10893,7 +10893,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10907,7 +10907,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-729 +Index: geneve-ut-0729 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -10930,7 +10930,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-730 +Index: geneve-ut-0730 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10944,7 +10944,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 58 Document count: 58 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11138,7 +11138,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-732 +Index: geneve-ut-0732 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -11154,7 +11154,7 @@ not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*n Branch count: 1 Document count: 1 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python file where host.os.type == "macos" and event.type != "deletion" and process.name != null and @@ -11167,7 +11167,7 @@ file where host.os.type == "macos" and event.type != "deletion" and process.name Branch count: 189 Document count: 189 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python any where host.os.type == "windows" and @@ -11200,7 +11200,7 @@ any where host.os.type == "windows" and Branch count: 44 Document count: 44 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -11236,7 +11236,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11255,7 +11255,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-738 +Index: geneve-ut-0738 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and @@ -11271,7 +11271,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 14 Document count: 14 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python process where host.os.type == "windows" and event.type : "start" and @@ -11291,7 +11291,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-742 +Index: geneve-ut-0742 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11315,7 +11315,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -11328,7 +11328,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 30 Document count: 30 -Index: geneve-ut-747 +Index: geneve-ut-0747 ```python any where host.os.type == "windows" and @@ -11343,7 +11343,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-748 +Index: geneve-ut-0748 ```python registry where host.os.type == "windows" and registry.path : ( @@ -11360,7 +11360,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and @@ -11374,7 +11374,7 @@ process where host.os.type == "windows" and event.action == "start" and process. Branch count: 16 Document count: 16 -Index: geneve-ut-750 +Index: geneve-ut-0750 ```python process where event.type in ("start", "process_started") and @@ -11388,7 +11388,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 1 -Index: geneve-ut-751 +Index: geneve-ut-0751 ```python process where host.os.type == "windows" and event.code == "10" and @@ -11407,7 +11407,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 1 Document count: 1 -Index: geneve-ut-752 +Index: geneve-ut-0752 ```python process where host.os.type == "windows" and event.code == "10" and @@ -11437,7 +11437,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 456 Document count: 456 -Index: geneve-ut-753 +Index: geneve-ut-0753 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11457,7 +11457,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 52 Document count: 52 -Index: geneve-ut-754 +Index: geneve-ut-0754 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11478,7 +11478,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 64 Document count: 128 -Index: geneve-ut-755 +Index: geneve-ut-0755 ```python sequence by process.entity_id with maxspan=5m @@ -11501,7 +11501,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 14 Document count: 14 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python file where host.os.type == "linux" and event.type == "creation" and @@ -11515,7 +11515,7 @@ file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.servic Branch count: 3 Document count: 3 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python file where host.os.type == "linux" and event.action == "opened-file" and @@ -11532,7 +11532,7 @@ file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and n Branch count: 2 Document count: 2 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and @@ -11608,7 +11608,7 @@ library where host.os.type == "windows" and process.executable : "?:\\Windows\\S Branch count: 212 Document count: 212 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11632,7 +11632,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-763 +Index: geneve-ut-0763 ```python event.category:process and host.os.type:windows and @@ -11647,7 +11647,7 @@ event.category:process and host.os.type:windows and Branch count: 48 Document count: 48 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python library where host.os.type == "windows" and @@ -11686,7 +11686,7 @@ library where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-766 +Index: geneve-ut-0766 ```python file where host.os.type == "windows" and event.type : "deletion" and @@ -11700,7 +11700,7 @@ file where host.os.type == "windows" and event.type : "deletion" and Branch count: 4 Document count: 8 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python sequence by host.id with maxspan=30s @@ -11724,7 +11724,7 @@ sequence by host.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-768 +Index: geneve-ut-0768 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11757,7 +11757,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -11776,7 +11776,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-773 +Index: geneve-ut-0773 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11789,7 +11789,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 80 Document count: 80 -Index: geneve-ut-774 +Index: geneve-ut-0774 ```python process where host.os.type == "linux" and @@ -11805,7 +11805,7 @@ process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "pyth Branch count: 48 Document count: 48 -Index: geneve-ut-775 +Index: geneve-ut-0775 ```python any where host.os.type == "windows" and @@ -11833,7 +11833,7 @@ any where host.os.type == "windows" and Branch count: 1 Document count: 2 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m @@ -11851,7 +11851,7 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= Branch count: 9 Document count: 9 -Index: geneve-ut-777 +Index: geneve-ut-0777 ```python file where host.os.type == "linux" and event.action == "rename" and @@ -11865,7 +11865,7 @@ and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", Branch count: 1 Document count: 1 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and @@ -11878,7 +11878,7 @@ file.Ext.original.path : "/usr/lib/vmware/*" Branch count: 2 Document count: 4 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python sequence by process.entity_id with maxspan=2m @@ -11912,7 +11912,7 @@ sequence by process.entity_id with maxspan=2m Branch count: 2 Document count: 2 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11937,7 +11937,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python registry where host.os.type == "windows" and @@ -11967,7 +11967,7 @@ registry where host.os.type == "windows" and Branch count: 918 Document count: 918 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -11997,7 +11997,7 @@ event.type == "start" and process.name == "ln" and Branch count: 9 Document count: 9 -Index: geneve-ut-784 +Index: geneve-ut-0784 ```python file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and @@ -12011,7 +12011,7 @@ not process.name in ("auditbeat", "systemd-sysctl", "dpkg", "dnf", "yum", "rpm", Branch count: 2 Document count: 2 -Index: geneve-ut-786 +Index: geneve-ut-0786 ```python process where host.os.type == "linux" and event.type == "end" and process.name : ("vmware-vmx", "vmx") @@ -12024,7 +12024,7 @@ and process.parent.name : "kill" Branch count: 34 Document count: 34 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -12040,7 +12040,7 @@ process.name == "proxychains" and process.args : ( Branch count: 2 Document count: 2 -Index: geneve-ut-788 +Index: geneve-ut-0788 ```python any where event.dataset == "windows.sysmon_operational" and event.code == "21" and @@ -12053,7 +12053,7 @@ any where event.dataset == "windows.sysmon_operational" and event.code == "21" a Branch count: 30 Document count: 30 -Index: geneve-ut-789 +Index: geneve-ut-0789 ```python any where host.os.type == "windows" and @@ -12068,7 +12068,7 @@ any where host.os.type == "windows" and Branch count: 48 Document count: 96 -Index: geneve-ut-790 +Index: geneve-ut-0790 ```python sequence by process.entity_id with maxspan = 2m @@ -12086,7 +12086,7 @@ sequence by process.entity_id with maxspan = 2m Branch count: 1 Document count: 1 -Index: geneve-ut-791 +Index: geneve-ut-0791 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12105,7 +12105,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-792 +Index: geneve-ut-0792 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12118,7 +12118,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 114 Document count: 114 -Index: geneve-ut-793 +Index: geneve-ut-0793 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -12164,7 +12164,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-794 +Index: geneve-ut-0794 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -12182,7 +12182,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 2 Document count: 2 -Index: geneve-ut-795 +Index: geneve-ut-0795 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12214,7 +12214,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-796 +Index: geneve-ut-0796 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12230,7 +12230,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-798 +Index: geneve-ut-0798 ```python process where event.type == "start" and event.action == "exec" and @@ -12243,7 +12243,7 @@ process where event.type == "start" and event.action == "exec" and Branch count: 2 Document count: 2 -Index: geneve-ut-799 +Index: geneve-ut-0799 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12257,7 +12257,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-800 +Index: geneve-ut-0800 ```python file where host.os.type == "linux" and event.type == "deletion" and @@ -12284,7 +12284,7 @@ file where host.os.type == "linux" and event.type == "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-801 +Index: geneve-ut-0801 ```python process where event.type == "start" and @@ -12297,7 +12297,7 @@ process where event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-802 +Index: geneve-ut-0802 ```python process where event.type == "start" and @@ -12310,7 +12310,7 @@ process where event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-803 +Index: geneve-ut-0803 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12328,7 +12328,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-804 +Index: geneve-ut-0804 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12345,7 +12345,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-805 +Index: geneve-ut-0805 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12362,7 +12362,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12375,7 +12375,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-807 +Index: geneve-ut-0807 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and @@ -12388,7 +12388,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 90 Document count: 90 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python process where event.type in ("start", "process_started") and @@ -12411,7 +12411,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 2 -Index: geneve-ut-809 +Index: geneve-ut-0809 ```python sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m @@ -12425,7 +12425,7 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-810 +Index: geneve-ut-0810 ```python file where host.os.type == "windows" and event.type == "deletion" and @@ -12453,7 +12453,7 @@ file where host.os.type == "windows" and event.type == "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-815 +Index: geneve-ut-0815 ```python process where event.type == "start" and @@ -12468,7 +12468,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-816 +Index: geneve-ut-0816 ```python process where event.type : ("start", "process_started") and process.name : "trap" and process.args : "SIG*" @@ -12480,7 +12480,7 @@ process where event.type : ("start", "process_started") and process.name : "tra Branch count: 1 Document count: 1 -Index: geneve-ut-817 +Index: geneve-ut-0817 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12497,7 +12497,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-818 +Index: geneve-ut-0818 ```python file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and @@ -12513,7 +12513,7 @@ file where host.os.type == "windows" and event.type : "change" and process.name Branch count: 2 Document count: 2 -Index: geneve-ut-819 +Index: geneve-ut-0819 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12526,7 +12526,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and @@ -12541,7 +12541,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 1 Document count: 1 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12557,7 +12557,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12572,7 +12572,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-823 +Index: geneve-ut-0823 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12588,7 +12588,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-824 +Index: geneve-ut-0824 ```python event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt @@ -12600,7 +12600,7 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt Branch count: 1 Document count: 1 -Index: geneve-ut-826 +Index: geneve-ut-0826 ```python process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine" @@ -12612,7 +12612,7 @@ process where host.os.type == "macos" and event.type == "start" and process.pare Branch count: 1 Document count: 1 -Index: geneve-ut-830 +Index: geneve-ut-0830 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -12626,7 +12626,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 1 Document count: 1 -Index: geneve-ut-832 +Index: geneve-ut-0832 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12640,7 +12640,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-833 +Index: geneve-ut-0833 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and @@ -12653,7 +12653,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-834 +Index: geneve-ut-0834 ```python sequence with maxspan=1h @@ -12671,7 +12671,7 @@ sequence with maxspan=1h Branch count: 18 Document count: 18 -Index: geneve-ut-838 +Index: geneve-ut-0838 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -12693,7 +12693,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 29 Document count: 29 -Index: geneve-ut-839 +Index: geneve-ut-0839 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -12766,7 +12766,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 6 Document count: 6 -Index: geneve-ut-840 +Index: geneve-ut-0840 ```python file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and @@ -12780,7 +12780,7 @@ file where host.os.type == "windows" and process.name : "dns.exe" and event.type Branch count: 400 Document count: 800 -Index: geneve-ut-853 +Index: geneve-ut-0853 ```python sequence by process.entity_id with maxspan=5m @@ -12842,7 +12842,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 1 Document count: 2 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -12861,7 +12861,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 1 Document count: 2 -Index: geneve-ut-855 +Index: geneve-ut-0855 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -12880,7 +12880,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 32 Document count: 32 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12921,7 +12921,7 @@ process.parent.name != null and Branch count: 8 Document count: 8 -Index: geneve-ut-859 +Index: geneve-ut-0859 ```python registry where host.os.type == "windows" and @@ -12953,7 +12953,7 @@ registry where host.os.type == "windows" and Branch count: 32 Document count: 32 -Index: geneve-ut-860 +Index: geneve-ut-0860 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12976,7 +12976,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-861 +Index: geneve-ut-0861 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12989,7 +12989,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-862 +Index: geneve-ut-0862 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13013,7 +13013,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-863 +Index: geneve-ut-0863 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13043,7 +13043,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 33 Document count: 33 -Index: geneve-ut-864 +Index: geneve-ut-0864 ```python process where event.type == "start" and host.os.type == "windows" and @@ -13071,7 +13071,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 144 Document count: 288 -Index: geneve-ut-867 +Index: geneve-ut-0867 ```python sequence by process.entity_id @@ -13108,7 +13108,7 @@ sequence by process.entity_id Branch count: 1 Document count: 20 -Index: geneve-ut-871 +Index: geneve-ut-0871 ```python sequence by host.id, process.parent.entity_id with maxspan=1s @@ -13122,7 +13122,7 @@ sequence by host.id, process.parent.entity_id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-882 +Index: geneve-ut-0882 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13137,7 +13137,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-883 +Index: geneve-ut-0883 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success) @@ -13149,7 +13149,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a Branch count: 2 Document count: 2 -Index: geneve-ut-884 +Index: geneve-ut-0884 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success) @@ -13161,7 +13161,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s Branch count: 8 Document count: 8 -Index: geneve-ut-885 +Index: geneve-ut-0885 ```python iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and @@ -13181,7 +13181,7 @@ iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" a Branch count: 1 Document count: 1 -Index: geneve-ut-886 +Index: geneve-ut-0886 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -13195,7 +13195,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 3 Document count: 3 -Index: geneve-ut-887 +Index: geneve-ut-0887 ```python event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and @@ -13240,7 +13240,7 @@ event.dataset: network_traffic.flow and network.transport:tcp and destination.po Branch count: 3 Document count: 3 -Index: geneve-ut-888 +Index: geneve-ut-0888 ```python event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and @@ -13285,7 +13285,7 @@ event.dataset: network_traffic.flow and network.transport:tcp and destination.po Branch count: 10 Document count: 10 -Index: geneve-ut-889 +Index: geneve-ut-0889 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -13303,7 +13303,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-890 +Index: geneve-ut-0890 ```python process where event.type == "start" and @@ -13318,7 +13318,7 @@ process where event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-891 +Index: geneve-ut-0891 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13335,7 +13335,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-892 +Index: geneve-ut-0892 ```python process where host.os.type == "windows" and event.type == "start" @@ -13349,7 +13349,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 60 Document count: 60 -Index: geneve-ut-893 +Index: geneve-ut-0893 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13365,7 +13365,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-894 +Index: geneve-ut-0894 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13379,7 +13379,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-895 +Index: geneve-ut-0895 ```python sequence by host.id with maxspan = 2s @@ -13408,7 +13408,7 @@ sequence by host.id with maxspan = 2s Branch count: 1 Document count: 1 -Index: geneve-ut-896 +Index: geneve-ut-0896 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "wbemtest.exe" @@ -13420,7 +13420,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 3 Document count: 3 -Index: geneve-ut-897 +Index: geneve-ut-0897 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13435,7 +13435,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-898 +Index: geneve-ut-0898 ```python event.action:"Directory Service Access" and event.code:"5136" and @@ -13448,7 +13448,7 @@ event.action:"Directory Service Access" and event.code:"5136" and Branch count: 1 Document count: 1 -Index: geneve-ut-899 +Index: geneve-ut-0899 ```python http.response.status_code:403 and http.request.method:post @@ -13460,7 +13460,7 @@ http.response.status_code:403 and http.request.method:post Branch count: 1 Document count: 1 -Index: geneve-ut-900 +Index: geneve-ut-0900 ```python http.response.status_code:405 @@ -13472,7 +13472,7 @@ http.response.status_code:405 Branch count: 1 Document count: 1 -Index: geneve-ut-901 +Index: geneve-ut-0901 ```python user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" @@ -13484,7 +13484,7 @@ user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" Branch count: 42 Document count: 42 -Index: geneve-ut-902 +Index: geneve-ut-0902 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13498,7 +13498,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-903 +Index: geneve-ut-0903 ```python event.category:process and host.os.type:macos and event.type:start and @@ -13514,7 +13514,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-904 +Index: geneve-ut-0904 ```python file where event.type == "deletion" and @@ -13531,7 +13531,7 @@ file where event.type == "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-905 +Index: geneve-ut-0905 ```python registry where event.type == "change" and @@ -13547,7 +13547,7 @@ registry where event.type == "change" and Branch count: 33 Document count: 33 -Index: geneve-ut-906 +Index: geneve-ut-0906 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "whoami.exe" and @@ -13576,7 +13576,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 36 Document count: 36 -Index: geneve-ut-907 +Index: geneve-ut-0907 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13613,7 +13613,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -13646,7 +13646,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 12 Document count: 12 -Index: geneve-ut-910 +Index: geneve-ut-0910 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13661,7 +13661,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-911 +Index: geneve-ut-0911 ```python event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" @@ -13673,7 +13673,7 @@ event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" Branch count: 16 Document count: 16 -Index: geneve-ut-912 +Index: geneve-ut-0912 ```python process where host.os.type == "windows" and event.action == "start" and @@ -13689,7 +13689,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-913 +Index: geneve-ut-0913 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13714,7 +13714,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-914 +Index: geneve-ut-0914 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -13729,7 +13729,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-915 +Index: geneve-ut-0915 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13742,7 +13742,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 216 Document count: 432 -Index: geneve-ut-916 +Index: geneve-ut-0916 ```python sequence by host.id with maxspan = 5s @@ -13782,7 +13782,7 @@ sequence by host.id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-917 +Index: geneve-ut-0917 ```python event.action:"service-installed" and @@ -13795,7 +13795,7 @@ event.action:"service-installed" and Branch count: 2 Document count: 2 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python registry where host.os.type == "windows" and @@ -13810,7 +13810,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-919 +Index: geneve-ut-0919 ```python process where host.os.type == "windows" and event.type : "start" and @@ -13824,7 +13824,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-920 +Index: geneve-ut-0920 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13852,7 +13852,7 @@ process.parent.executable : ( Branch count: 18 Document count: 18 -Index: geneve-ut-921 +Index: geneve-ut-0921 ```python process where event.type == "start" and @@ -13877,7 +13877,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-922 +Index: geneve-ut-0922 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13891,7 +13891,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-923 +Index: geneve-ut-0923 ```python event.type:creation and event.module:zoom and event.dataset:zoom.webhook and diff --git a/tests/reports/alerts_from_rules-8.8.md b/tests/reports/alerts_from_rules-8.8.md index 4a3e91ab..a741edea 100644 --- a/tests/reports/alerts_from_rules-8.8.md +++ b/tests/reports/alerts_from_rules-8.8.md @@ -19,7 +19,7 @@ Rules version: 8.8.15 Branch count: 2904 Document count: 5808 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python sequence by host.id, process.parent.entity_id with maxspan=1s @@ -45,7 +45,7 @@ sequence by host.id, process.parent.entity_id with maxspan=1s Branch count: 4608 Document count: 13824 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python sequence by host.id, user.id with maxspan=1m @@ -66,7 +66,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -85,7 +85,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-539 +Index: geneve-ut-0539 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -104,7 +104,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 3510 Document count: 3510 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python process where host.os.type == "linux" and event.type == "start" and @@ -130,7 +130,7 @@ not process.name == "phpquery" Branch count: 2592 Document count: 5184 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python sequence by host.id with maxspan=1s @@ -149,7 +149,7 @@ sequence by host.id with maxspan=1s Branch count: 2048 Document count: 22528 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -166,7 +166,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 4608 Document count: 4608 -Index: geneve-ut-785 +Index: geneve-ut-0785 ```python process where host.os.type == "windows" and event.type == "start" and @@ -215,7 +215,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1836 Document count: 1836 -Index: geneve-ut-830 +Index: geneve-ut-0830 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -247,7 +247,7 @@ event.type == "start" and process.name == "ln" and process.args in ("-s", "-sf") Branch count: 2 Document count: 2 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -259,7 +259,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 4 Document count: 4 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -275,7 +275,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -288,7 +288,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -303,7 +303,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 2904 Document count: 5808 -Index: geneve-ut-203 +Index: geneve-ut-0203 Failure message(s): got 1000 signals, expected 2904 @@ -331,7 +331,7 @@ sequence by host.id, process.parent.entity_id with maxspan=1s Branch count: 4608 Document count: 13824 -Index: geneve-ut-262 +Index: geneve-ut-0262 Failure message(s): got 1000 signals, expected 4608 @@ -354,7 +354,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-535 +Index: geneve-ut-0535 Failure message(s): got 1000 signals, expected 1024 @@ -375,7 +375,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-539 +Index: geneve-ut-0539 Failure message(s): got 1000 signals, expected 1024 @@ -396,7 +396,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 256 Document count: 768 -Index: geneve-ut-556 +Index: geneve-ut-0556 Failure message(s): got 128 signals, expected 256 @@ -460,7 +460,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 3510 Document count: 3510 -Index: geneve-ut-605 +Index: geneve-ut-0605 Failure message(s): got 1000 signals, expected 3510 @@ -488,7 +488,7 @@ not process.name == "phpquery" Branch count: 2592 Document count: 5184 -Index: geneve-ut-610 +Index: geneve-ut-0610 Failure message(s): got 1000 signals, expected 2592 @@ -509,7 +509,7 @@ sequence by host.id with maxspan=1s Branch count: 2048 Document count: 22528 -Index: geneve-ut-626 +Index: geneve-ut-0626 Failure message(s): got 1000 signals, expected 2048 @@ -528,7 +528,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 4608 Document count: 4608 -Index: geneve-ut-785 +Index: geneve-ut-0785 Failure message(s): got 1000 signals, expected 4608 @@ -579,7 +579,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1836 Document count: 1836 -Index: geneve-ut-830 +Index: geneve-ut-0830 Failure message(s): got 1000 signals, expected 1836 @@ -613,7 +613,7 @@ event.type == "start" and process.name == "ln" and process.args in ("-s", "-sf") Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -635,7 +635,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -665,7 +665,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 1 Document count: 1 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -677,7 +677,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-003 +Index: geneve-ut-0003 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success @@ -689,7 +689,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-0004 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -701,7 +701,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-0005 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -713,7 +713,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-0006 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -725,7 +725,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-0007 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -737,7 +737,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -749,7 +749,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -764,7 +764,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -776,7 +776,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python process where event.module == "cloud_defend" and @@ -793,7 +793,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -806,7 +806,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -818,7 +818,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -832,7 +832,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -844,7 +844,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -856,7 +856,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -868,7 +868,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -880,7 +880,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-019 +Index: geneve-ut-0019 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -893,7 +893,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-020 +Index: geneve-ut-0020 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -906,7 +906,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-021 +Index: geneve-ut-0021 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -920,7 +920,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -933,7 +933,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success @@ -945,7 +945,7 @@ event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -957,7 +957,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-025 +Index: geneve-ut-0025 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -969,7 +969,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-027 +Index: geneve-ut-0027 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -981,7 +981,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -993,7 +993,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -1005,7 +1005,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -1017,7 +1017,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -1029,7 +1029,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -1041,7 +1041,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -1053,7 +1053,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -1065,7 +1065,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -1077,7 +1077,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -1089,7 +1089,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-038 +Index: geneve-ut-0038 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -1101,7 +1101,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-039 +Index: geneve-ut-0039 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -1113,7 +1113,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-040 +Index: geneve-ut-0040 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -1125,7 +1125,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and @@ -1138,7 +1138,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-042 +Index: geneve-ut-0042 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -1150,7 +1150,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-043 +Index: geneve-ut-0043 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -1165,7 +1165,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-044 +Index: geneve-ut-0044 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -1177,7 +1177,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-045 +Index: geneve-ut-0045 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -1189,7 +1189,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1202,7 +1202,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1215,7 +1215,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1228,7 +1228,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1243,7 +1243,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 4 Document count: 4 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or @@ -1256,7 +1256,7 @@ UpdateSAMLProvider) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1269,7 +1269,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 6 Document count: 6 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or @@ -1283,7 +1283,7 @@ RevokeSecurityGroupIngress) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and @@ -1296,7 +1296,7 @@ aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event. Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1308,7 +1308,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-055 +Index: geneve-ut-0055 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1320,7 +1320,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1332,7 +1332,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1348,7 +1348,7 @@ Index: geneve-ut-059 Branch count: 52 Document count: 52 -Index: geneve-ut-060 +Index: geneve-ut-0060 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1377,7 +1377,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1415,7 +1415,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python any where event.action == "Directory Service Access" and event.code == "4662" and @@ -1450,7 +1450,7 @@ any where event.action == "Directory Service Access" and event.code == "4662" an Branch count: 2 Document count: 2 -Index: geneve-ut-063 +Index: geneve-ut-0063 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1463,7 +1463,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-065 +Index: geneve-ut-0065 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1479,7 +1479,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-066 +Index: geneve-ut-0066 ```python sequence by winlog.computer_name with maxspan=5m @@ -1506,7 +1506,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python process where event.type== "start" and event.action == "exec" and @@ -1524,7 +1524,7 @@ process where event.type== "start" and event.action == "exec" and Branch count: 36 Document count: 36 -Index: geneve-ut-068 +Index: geneve-ut-0068 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1544,7 +1544,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1561,7 +1561,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -1574,7 +1574,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 1 Document count: 1 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1586,7 +1586,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-073 +Index: geneve-ut-0073 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1598,7 +1598,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1613,7 +1613,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1625,7 +1625,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 1 Document count: 1 -Index: geneve-ut-076 +Index: geneve-ut-0076 ```python event.agent_id_status:agent_id_mismatch @@ -1637,7 +1637,7 @@ event.agent_id_status:agent_id_mismatch Branch count: 1 Document count: 2 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1656,7 +1656,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-083 +Index: geneve-ut-0083 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1669,7 +1669,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-084 +Index: geneve-ut-0084 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1681,7 +1681,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-085 +Index: geneve-ut-0085 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1696,7 +1696,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 1 Document count: 1 -Index: geneve-ut-087 +Index: geneve-ut-0087 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1708,7 +1708,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 1 Document count: 1 -Index: geneve-ut-088 +Index: geneve-ut-0088 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -1721,7 +1721,7 @@ process.name == "dmesg" and process.args : "-c" Branch count: 1 Document count: 1 -Index: geneve-ut-089 +Index: geneve-ut-0089 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1733,7 +1733,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-090 +Index: geneve-ut-0090 ```python event.dataset:okta.system and event.action:user.mfa.factor.deactivate @@ -1745,7 +1745,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-091 +Index: geneve-ut-0091 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1757,7 +1757,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-092 +Index: geneve-ut-0092 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1769,7 +1769,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-093 +Index: geneve-ut-0093 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1781,7 +1781,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-094 +Index: geneve-ut-0094 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1793,7 +1793,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-095 +Index: geneve-ut-0095 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1805,7 +1805,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.dataset:okta.system and event.action:zone.delete @@ -1817,7 +1817,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-097 +Index: geneve-ut-0097 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -1829,7 +1829,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-098 +Index: geneve-ut-0098 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -1841,7 +1841,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 2 Document count: 2 -Index: geneve-ut-099 +Index: geneve-ut-0099 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1854,7 +1854,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 17 Document count: 17 -Index: geneve-ut-100 +Index: geneve-ut-0100 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -1881,7 +1881,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-101 +Index: geneve-ut-0101 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -1897,7 +1897,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-102 +Index: geneve-ut-0102 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1910,7 +1910,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1929,7 +1929,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1944,7 +1944,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -1956,7 +1956,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-106 +Index: geneve-ut-0106 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -1968,7 +1968,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-107 +Index: geneve-ut-0107 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -1980,7 +1980,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -1992,7 +1992,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -2011,7 +2011,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -2029,7 +2029,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -2041,7 +2041,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -2053,7 +2053,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-113 +Index: geneve-ut-0113 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2066,7 +2066,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -2078,7 +2078,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 2 Document count: 2 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.pem*", "*.id_rsa*") and @@ -2098,7 +2098,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 1 Document count: 1 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -2113,7 +2113,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2127,7 +2127,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python event.dataset:azure.signinlogs and @@ -2141,7 +2141,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.dataset:azure.signinlogs and @@ -2154,7 +2154,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-122 +Index: geneve-ut-0122 ```python event.dataset:azure.signinlogs and @@ -2168,7 +2168,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -2181,7 +2181,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -2193,7 +2193,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -2205,7 +2205,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.dataset:azure.activitylogs and @@ -2224,7 +2224,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.dataset:azure.activitylogs and @@ -2238,7 +2238,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-128 +Index: geneve-ut-0128 ```python event.dataset:azure.activitylogs and @@ -2256,7 +2256,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-129 +Index: geneve-ut-0129 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2268,7 +2268,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-130 +Index: geneve-ut-0130 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2283,7 +2283,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-131 +Index: geneve-ut-0131 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2295,7 +2295,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-132 +Index: geneve-ut-0132 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2308,7 +2308,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-133 +Index: geneve-ut-0133 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2320,7 +2320,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2332,7 +2332,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2344,7 +2344,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2356,7 +2356,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-138 +Index: geneve-ut-0138 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2368,7 +2368,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2386,7 +2386,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2398,7 +2398,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2411,7 +2411,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2424,7 +2424,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2439,7 +2439,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2451,7 +2451,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2463,7 +2463,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2475,7 +2475,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2487,7 +2487,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2499,7 +2499,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2511,7 +2511,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2529,7 +2529,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" @@ -2541,7 +2541,7 @@ process where host.os.type == "linux" and event.type != "end" and process.execut Branch count: 8 Document count: 8 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -2554,7 +2554,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 9 Document count: 9 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python event.category:file and event.type:change and @@ -2579,7 +2579,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2594,7 +2594,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2609,7 +2609,7 @@ user.id == "0" Branch count: 13 Document count: 13 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2631,7 +2631,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python file where event.action : "creation" and @@ -2655,7 +2655,7 @@ file where event.action : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2673,7 +2673,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2689,7 +2689,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 24 Document count: 24 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2705,7 +2705,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2727,7 +2727,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2741,7 +2741,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-165 +Index: geneve-ut-0165 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -2758,7 +2758,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 12 Document count: 12 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -2778,7 +2778,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python sequence by process.entity_id @@ -2798,7 +2798,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2815,7 +2815,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 56 Document count: 56 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python registry where host.os.type == "windows" and @@ -2867,7 +2867,7 @@ registry where host.os.type == "windows" and Branch count: 12 Document count: 12 -Index: geneve-ut-170 +Index: geneve-ut-0170 ```python library where @@ -2896,7 +2896,7 @@ library where Branch count: 24 Document count: 24 -Index: geneve-ut-172 +Index: geneve-ut-0172 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -2921,7 +2921,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python sequence by process.entity_id @@ -2941,7 +2941,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python sequence by process.entity_id @@ -2961,7 +2961,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python process where container.id: "*" and event.type== "start" @@ -2974,7 +2974,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.kind:alert and event.module:cloud_defend @@ -2986,7 +2986,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 24 Document count: 24 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3012,7 +3012,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3032,7 +3032,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -3045,7 +3045,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" @@ -3057,7 +3057,7 @@ file where host.os.type == "linux" and event.type == "creation" and file.extensi Branch count: 2 Document count: 2 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python file where event.type in ("change", "creation") and host.os.type == "linux" and @@ -3070,7 +3070,7 @@ file.path : "/lib/modules/*" and file.name : "*.ko" Branch count: 1 Document count: 1 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -3083,7 +3083,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python registry where host.os.type == "windows" and registry.path : ( @@ -3098,7 +3098,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -3110,7 +3110,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 16 Document count: 16 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -3143,7 +3143,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 2 Document count: 2 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -3158,7 +3158,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-189 +Index: geneve-ut-0189 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3173,7 +3173,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-190 +Index: geneve-ut-0190 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3185,7 +3185,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3197,7 +3197,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3209,7 +3209,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3221,7 +3221,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -3233,7 +3233,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python event.dataset:cyberarkpas.audit and @@ -3248,7 +3248,7 @@ event.dataset:cyberarkpas.audit and Branch count: 4 Document count: 4 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -3266,7 +3266,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 9 Document count: 9 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -3281,7 +3281,7 @@ Index: geneve-ut-199 Branch count: 2 Document count: 2 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3295,7 +3295,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3309,7 +3309,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 8 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python sequence by process.entity_id @@ -3336,7 +3336,7 @@ sequence by process.entity_id Branch count: 12 Document count: 12 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3358,7 +3358,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3375,7 +3375,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3397,7 +3397,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3411,7 +3411,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python process where event.type : ("start", "process_started") and host.os.type == "linux" and @@ -3426,7 +3426,7 @@ process where event.type : ("start", "process_started") and host.os.type == "li Branch count: 1 Document count: 1 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3438,7 +3438,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3451,7 +3451,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3463,7 +3463,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 8 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python sequence by process.entity_id with maxspan=1m @@ -3478,7 +3478,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 3 Document count: 3 -Index: geneve-ut-217 +Index: geneve-ut-0217 ```python process where host.os.type == "linux" and event.type == "start" and process.name : "find" and @@ -3491,7 +3491,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 27 Document count: 27 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3505,7 +3505,7 @@ process.args in ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", Branch count: 3 Document count: 3 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3518,7 +3518,7 @@ process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/ Branch count: 2 Document count: 2 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -3530,7 +3530,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 201 Document count: 201 -Index: geneve-ut-221 +Index: geneve-ut-0221 ```python process where @@ -3561,7 +3561,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3574,7 +3574,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3588,7 +3588,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python registry where host.os.type == "windows" and @@ -3602,7 +3602,7 @@ registry where host.os.type == "windows" and Branch count: 14 Document count: 14 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3633,7 +3633,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -3645,7 +3645,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 2 Document count: 2 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3659,7 +3659,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3678,7 +3678,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3703,7 +3703,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 46 Document count: 46 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -3733,7 +3733,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python event.category:process and host.os.type:windows and @@ -3751,7 +3751,7 @@ event.category:process and host.os.type:windows and Branch count: 64 Document count: 64 -Index: geneve-ut-237 +Index: geneve-ut-0237 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -3779,7 +3779,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 8 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python sequence by process.entity_id with maxspan=5m @@ -3799,7 +3799,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 2 Document count: 2 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3818,7 +3818,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 48 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python sequence with maxspan=2h @@ -3843,7 +3843,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python sequence with maxspan=2h @@ -3868,7 +3868,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -3897,7 +3897,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -3909,7 +3909,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -3932,7 +3932,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python sequence by user.id with maxspan=5s @@ -3947,7 +3947,7 @@ sequence by user.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -3959,7 +3959,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 4 Document count: 4 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python process where host.os.type == "windows" and event.type : "start" and @@ -3984,7 +3984,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -3996,7 +3996,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4010,7 +4010,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -4023,7 +4023,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4035,7 +4035,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4047,7 +4047,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4061,7 +4061,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -4073,7 +4073,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 19 Document count: 19 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -4124,7 +4124,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 62 Document count: 62 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python file where event.type in ("creation", "change") and @@ -4172,7 +4172,7 @@ file where event.type in ("creation", "change") and Branch count: 1 Document count: 1 -Index: geneve-ut-261 +Index: geneve-ut-0261 ```python file where host.os.type == "windows" and event.code : "2" and @@ -4201,7 +4201,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 4 Document count: 4 -Index: geneve-ut-263 +Index: geneve-ut-0263 ```python event.category:process and host.os.type:linux and event.type:start and process.name:shred and @@ -4214,7 +4214,7 @@ process.args:("-u" or "--remove" or "-z" or "--zero") and not process.parent.nam Branch count: 20 Document count: 20 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -4230,7 +4230,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -4245,7 +4245,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 375 Document count: 750 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python sequence by process.entity_id @@ -4272,7 +4272,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-268 +Index: geneve-ut-0268 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4290,7 +4290,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-269 +Index: geneve-ut-0269 ```python process where host.os.type == "linux" and event.type == "start" and user.name == "root" and @@ -4304,7 +4304,7 @@ process where host.os.type == "linux" and event.type == "start" and user.name == Branch count: 11 Document count: 11 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4330,7 +4330,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4356,7 +4356,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-280 +Index: geneve-ut-0280 ```python event.dataset: google_workspace.alert @@ -4368,7 +4368,7 @@ event.dataset: google_workspace.alert Branch count: 4 Document count: 4 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" and @@ -4382,7 +4382,7 @@ registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Mi Branch count: 2 Document count: 2 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4394,7 +4394,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4406,7 +4406,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4418,7 +4418,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-285 +Index: geneve-ut-0285 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4430,7 +4430,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -4442,7 +4442,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -4454,7 +4454,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -4466,7 +4466,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -4478,7 +4478,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -4490,7 +4490,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -4502,7 +4502,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -4514,7 +4514,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -4526,7 +4526,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -4538,7 +4538,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -4550,7 +4550,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -4562,7 +4562,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -4574,7 +4574,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -4586,7 +4586,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -4598,7 +4598,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-300 +Index: geneve-ut-0300 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -4610,7 +4610,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -4622,7 +4622,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-302 +Index: geneve-ut-0302 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -4634,7 +4634,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-303 +Index: geneve-ut-0303 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -4646,7 +4646,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-304 +Index: geneve-ut-0304 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -4658,7 +4658,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -4670,7 +4670,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python configuration where event.dataset == "github.audit" @@ -4683,7 +4683,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -4695,7 +4695,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-308 +Index: geneve-ut-0308 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -4708,7 +4708,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -4720,7 +4720,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS @@ -4732,7 +4732,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-311 +Index: geneve-ut-0311 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -4745,7 +4745,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -4757,7 +4757,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4770,7 +4770,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -4782,7 +4782,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -4795,7 +4795,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -4812,7 +4812,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-317 +Index: geneve-ut-0317 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -4826,7 +4826,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python sequence by source.user.email with maxspan=3m @@ -4850,7 +4850,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-319 +Index: geneve-ut-0319 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -4871,7 +4871,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4885,7 +4885,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -4897,7 +4897,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -4909,7 +4909,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -4922,7 +4922,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4935,7 +4935,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python file where event.type : "creation" and process.name : "chflags" @@ -4947,7 +4947,7 @@ file where event.type : "creation" and process.name : "chflags" Branch count: 1 Document count: 2 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python sequence by process.entity_id with maxspan=5m @@ -4964,7 +4964,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-332 +Index: geneve-ut-0332 ```python any where @@ -4993,7 +4993,7 @@ any where Branch count: 3 Document count: 3 -Index: geneve-ut-333 +Index: geneve-ut-0333 ```python process where host.os.type == "linux" and event.type == "start" @@ -5006,7 +5006,7 @@ and process.name in ("hping", "hping2", "hping3") Branch count: 2 Document count: 2 -Index: geneve-ut-334 +Index: geneve-ut-0334 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5021,7 +5021,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -5033,7 +5033,7 @@ Index: geneve-ut-335 Branch count: 8 Document count: 8 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5050,7 +5050,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-340 +Index: geneve-ut-0340 ```python sequence with maxspan=1m @@ -5069,7 +5069,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python sequence by host.id with maxspan=1m @@ -5087,7 +5087,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python sequence by host.id with maxspan=5s @@ -5106,7 +5106,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python sequence by host.id with maxspan = 30s @@ -5122,7 +5122,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python sequence by host.id with maxspan=30s @@ -5138,7 +5138,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5151,7 +5151,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-347 +Index: geneve-ut-0347 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5164,7 +5164,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -5180,7 +5180,7 @@ sequence by process.entity_id Branch count: 4 Document count: 8 -Index: geneve-ut-349 +Index: geneve-ut-0349 ```python sequence by process.entity_id with maxspan = 5m @@ -5196,7 +5196,7 @@ sequence by process.entity_id with maxspan = 5m Branch count: 4 Document count: 4 -Index: geneve-ut-350 +Index: geneve-ut-0350 ```python registry where host.os.type == "windows" and @@ -5215,7 +5215,7 @@ registry where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-351 +Index: geneve-ut-0351 ```python process where container.id : "*" and event.type== "start" and @@ -5236,7 +5236,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-352 +Index: geneve-ut-0352 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -5249,7 +5249,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-353 +Index: geneve-ut-0353 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -5267,7 +5267,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 1 Document count: 1 -Index: geneve-ut-354 +Index: geneve-ut-0354 ```python event.action:modified-user-account and event.code:4738 and @@ -5280,7 +5280,7 @@ event.action:modified-user-account and event.code:4738 and Branch count: 2 Document count: 2 -Index: geneve-ut-355 +Index: geneve-ut-0355 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -5294,7 +5294,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-357 +Index: geneve-ut-0357 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -5353,7 +5353,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-358 +Index: geneve-ut-0358 ```python driver where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and @@ -5366,7 +5366,7 @@ event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module" Branch count: 6 Document count: 6 -Index: geneve-ut-359 +Index: geneve-ut-0359 ```python process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and @@ -5379,7 +5379,7 @@ process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") Branch count: 1 Document count: 1 -Index: geneve-ut-360 +Index: geneve-ut-0360 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" @@ -5392,7 +5392,7 @@ and not process.parent.name in ("cisco-amp-helper", "ksplice-apply") Branch count: 21 Document count: 21 -Index: geneve-ut-361 +Index: geneve-ut-0361 ```python process where host.os.type == "linux" and event.action == "exec" and process.name == "rmmod" or @@ -5406,7 +5406,7 @@ process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh Branch count: 16 Document count: 16 -Index: geneve-ut-362 +Index: geneve-ut-0362 ```python process where host.os.type == "macos" and event.type == "start" and @@ -5421,7 +5421,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-363 +Index: geneve-ut-0363 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -5433,7 +5433,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-364 +Index: geneve-ut-0364 ```python event.dataset:kubernetes.audit_logs @@ -5448,7 +5448,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-366 +Index: geneve-ut-0366 ```python event.dataset: "kubernetes.audit_logs" @@ -5462,7 +5462,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-367 +Index: geneve-ut-0367 ```python event.dataset : "kubernetes.audit_logs" @@ -5478,7 +5478,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-368 +Index: geneve-ut-0368 ```python event.dataset : "kubernetes.audit_logs" @@ -5495,7 +5495,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python event.dataset : "kubernetes.audit_logs" @@ -5512,7 +5512,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python event.dataset : "kubernetes.audit_logs" @@ -5529,7 +5529,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python event.dataset : "kubernetes.audit_logs" @@ -5562,7 +5562,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python event.dataset : "kubernetes.audit_logs" @@ -5579,7 +5579,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python event.dataset : "kubernetes.audit_logs" @@ -5596,7 +5596,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python event.dataset : "kubernetes.audit_logs" @@ -5613,7 +5613,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python event.dataset : "kubernetes.audit_logs" @@ -5629,7 +5629,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -5662,7 +5662,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python any where event.action == "File System" and event.code == "4656" and @@ -5697,7 +5697,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python api where host.os.type == "windows" and @@ -5751,7 +5751,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5769,7 +5769,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python sequence by host.id with maxspan=1m @@ -5785,7 +5785,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python sequence by host.id with maxspan=1m @@ -5799,7 +5799,7 @@ sequence by host.id with maxspan=1m Branch count: 609 Document count: 609 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python process where host.os.type == "linux" and event.type == "start" and @@ -5861,7 +5861,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -5876,7 +5876,7 @@ process.args != "1" Branch count: 16 Document count: 16 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python process where event.type == "start" and @@ -5893,7 +5893,7 @@ process where event.type == "start" and Branch count: 60 Document count: 60 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python process where host.os.type == "linux" and event.type == "start" and @@ -5913,7 +5913,7 @@ process.args in ("root", "admin", "wheel", "staff", "sudo", Branch count: 4 Document count: 4 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python registry where host.os.type == "windows" and registry.path : ( @@ -5928,7 +5928,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 600 Document count: 1200 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python sequence with maxspan=1m @@ -5953,7 +5953,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -5965,7 +5965,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 96 Document count: 96 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5989,7 +5989,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 48 Document count: 96 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python sequence by host.id, user.id with maxspan=30s @@ -6003,7 +6003,7 @@ sequence by host.id, user.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6015,7 +6015,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6027,7 +6027,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -6039,7 +6039,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -6051,7 +6051,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -6063,7 +6063,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -6075,7 +6075,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -6087,7 +6087,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -6099,7 +6099,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-404 +Index: geneve-ut-0404 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -6111,7 +6111,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -6123,7 +6123,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -6135,7 +6135,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -6147,7 +6147,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -6159,7 +6159,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -6172,7 +6172,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -6191,7 +6191,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -6203,7 +6203,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -6218,7 +6218,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -6232,7 +6232,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -6246,7 +6246,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -6258,7 +6258,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -6270,7 +6270,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6284,7 +6284,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6305,7 +6305,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6319,7 +6319,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-422 +Index: geneve-ut-0422 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6338,7 +6338,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -6363,7 +6363,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-424 +Index: geneve-ut-0424 ```python event.category: "process" and host.os.type:windows and @@ -6381,7 +6381,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6396,7 +6396,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6410,7 +6410,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-427 +Index: geneve-ut-0427 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6424,7 +6424,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 30 Document count: 30 -Index: geneve-ut-428 +Index: geneve-ut-0428 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6464,7 +6464,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 1 Document count: 1 -Index: geneve-ut-429 +Index: geneve-ut-0429 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -6476,7 +6476,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 12 Document count: 12 -Index: geneve-ut-430 +Index: geneve-ut-0430 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6494,7 +6494,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 4 Document count: 4 -Index: geneve-ut-431 +Index: geneve-ut-0431 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6511,7 +6511,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-433 +Index: geneve-ut-0433 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -6523,7 +6523,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 1 Document count: 1 -Index: geneve-ut-434 +Index: geneve-ut-0434 ```python event.category:process and host.os.type:macos and event.type:start and @@ -6548,7 +6548,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python event.category:file and host.os.type:linux and event.type:change and @@ -6567,7 +6567,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python event.category:process and host.os.type:macos and event.type:start and @@ -6589,7 +6589,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 16 Document count: 16 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -6606,7 +6606,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 1 Document count: 1 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -6620,7 +6620,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 2 Document count: 2 -Index: geneve-ut-440 +Index: geneve-ut-0440 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -6632,7 +6632,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 1 Document count: 1 -Index: geneve-ut-441 +Index: geneve-ut-0441 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6646,7 +6646,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-442 +Index: geneve-ut-0442 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6665,7 +6665,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python sequence by process.entity_id @@ -6680,7 +6680,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-444 +Index: geneve-ut-0444 ```python sequence by process.entity_id with maxspan=10m @@ -6698,7 +6698,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -6710,7 +6710,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -6735,7 +6735,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -6761,7 +6761,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -6785,7 +6785,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 84 Document count: 84 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6804,7 +6804,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -6819,7 +6819,7 @@ not process.args : "/usr/bin/snap" Branch count: 560 Document count: 560 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python process where container.id: "*" and event.type== "start" @@ -6842,7 +6842,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 5 Document count: 5 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -6857,7 +6857,7 @@ process.name == "rlwrap" and process.args in ( Branch count: 2 Document count: 2 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python registry where event.type == "change" and @@ -6873,7 +6873,7 @@ registry where event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-458 +Index: geneve-ut-0458 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -6889,7 +6889,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -6907,7 +6907,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python sequence by process.entity_id @@ -6926,7 +6926,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python sequence by process.entity_id @@ -6945,7 +6945,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python sequence by host.id with maxspan=1m @@ -6962,7 +6962,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-463 +Index: geneve-ut-0463 ```python sequence by process.entity_id @@ -6987,7 +6987,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python sequence by process.entity_id @@ -7009,7 +7009,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python registry where host.os.type == "windows" and registry.data.strings : "?*" and @@ -7038,7 +7038,7 @@ registry where host.os.type == "windows" and registry.data.strings : "?*" and Branch count: 2 Document count: 2 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -7054,7 +7054,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7067,7 +7067,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -7079,7 +7079,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -7091,7 +7091,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 6 Document count: 6 -Index: geneve-ut-473 +Index: geneve-ut-0473 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -7105,7 +7105,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "nping" @@ -7117,7 +7117,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 1 Document count: 1 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -7129,7 +7129,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -7143,7 +7143,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -7155,7 +7155,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -7168,7 +7168,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python event.dataset:okta.system and event.category:authentication and @@ -7181,7 +7181,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 2 Document count: 2 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -7193,7 +7193,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -7205,7 +7205,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -7217,7 +7217,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 36 Document count: 72 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -7232,7 +7232,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7246,7 +7246,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -7258,7 +7258,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-490 +Index: geneve-ut-0490 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -7270,7 +7270,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7288,7 +7288,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -7301,7 +7301,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -7315,7 +7315,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 66 Document count: 132 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python sequence by host.id with maxspan=5s @@ -7331,7 +7331,7 @@ sequence by host.id with maxspan=5s Branch count: 12 Document count: 12 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python /* Registry Path ends with backslash */ @@ -7356,7 +7356,7 @@ registry where host.os.type == "windows" and /* length(registry.data.strings) > Branch count: 32 Document count: 32 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -7382,7 +7382,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python process where host.os.type == "macos" and event.type == "start" and @@ -7402,7 +7402,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-498 +Index: geneve-ut-0498 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7421,7 +7421,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7434,7 +7434,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7450,7 +7450,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-501 +Index: geneve-ut-0501 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7463,7 +7463,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7482,7 +7482,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7510,7 +7510,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7525,7 +7525,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python registry where host.os.type == "windows" and @@ -7588,7 +7588,7 @@ registry where host.os.type == "windows" and Branch count: 7 Document count: 7 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and @@ -7611,7 +7611,7 @@ file where host.os.type == "windows" and event.type != "deletion" and user.domai Branch count: 2 Document count: 2 -Index: geneve-ut-507 +Index: geneve-ut-0507 ```python registry where host.os.type == "windows" and registry.path : ( @@ -7626,7 +7626,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-508 +Index: geneve-ut-0508 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -7644,7 +7644,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -7656,7 +7656,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 1 Document count: 3 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python sequence by user.email with maxspan=10m @@ -7671,7 +7671,7 @@ sequence by user.email with maxspan=10m Branch count: 16 Document count: 16 -Index: geneve-ut-512 +Index: geneve-ut-0512 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -7684,7 +7684,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-514 +Index: geneve-ut-0514 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -7698,7 +7698,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 8 -Index: geneve-ut-515 +Index: geneve-ut-0515 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and @@ -7714,7 +7714,7 @@ event.type == "start" and user.name == "postgres" and ( Branch count: 2 Document count: 6 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python sequence by host.id, user.name with maxspan = 5s @@ -7743,7 +7743,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 63 Document count: 63 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python process where event.type in ("start", "process_started", "info") and @@ -7767,7 +7767,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 6 Document count: 6 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python any where event.action == "Directory Service Access" and @@ -7802,7 +7802,7 @@ any where event.action == "Directory Service Access" and Branch count: 1 Document count: 1 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python process where host.os.type == "windows" and event.code == "10" and @@ -7820,7 +7820,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python process where host.os.type == "windows" and event.code == "10" and @@ -7843,7 +7843,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -7893,7 +7893,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python sequence by process.entity_id with maxspan=1m @@ -7911,7 +7911,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python sequence by process.entity_id @@ -7926,7 +7926,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python any where processor.name == "transaction" and @@ -7940,7 +7940,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7961,7 +7961,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7982,7 +7982,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7995,7 +7995,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-530 +Index: geneve-ut-0530 ```python process where event.action == "exec" and process.parent.name =="proot" and host.os.type == "linux" @@ -8007,7 +8007,7 @@ process where event.action == "exec" and process.parent.name =="proot" and host Branch count: 2 Document count: 2 -Index: geneve-ut-531 +Index: geneve-ut-0531 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( @@ -8022,7 +8022,7 @@ process where host.os.type == "linux" and event.action == "exec" and event.type Branch count: 2 Document count: 2 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0 @@ -8034,7 +8034,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8047,7 +8047,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8060,7 +8060,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8073,7 +8073,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-538 +Index: geneve-ut-0538 ```python process where host.os.type == "linux" and process.name == "mount" and event.action == "exec" and @@ -8086,7 +8086,7 @@ process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2* Branch count: 60 Document count: 120 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python sequence by host.id with maxspan=1m @@ -8122,7 +8122,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python event.category:process and host.os.type:macos and event.type:start and @@ -8135,7 +8135,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8153,7 +8153,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -8167,7 +8167,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python sequence by host.id with maxspan=30s @@ -8186,7 +8186,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python process where host.os.type == "linux" and event.type == "start" and @@ -8200,7 +8200,7 @@ process.args : "-u" and process.args : "0" and process.args : "-o" Branch count: 3 Document count: 6 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python sequence by process.parent.name,host.name with maxspan=1m @@ -8217,7 +8217,7 @@ sequence by process.parent.name,host.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python process where host.os.type == "linux" and process.name == "unshadow" and @@ -8230,7 +8230,7 @@ process where host.os.type == "linux" and process.name == "unshadow" and Branch count: 78 Document count: 78 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and @@ -8258,7 +8258,7 @@ process.name in ( Branch count: 1 Document count: 10 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -8274,7 +8274,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 36 Document count: 36 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -8288,7 +8288,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 229 Document count: 229 -Index: geneve-ut-554 +Index: geneve-ut-0554 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (( @@ -8315,7 +8315,7 @@ process where host.os.type == "linux" and event.action == "exec" and event.type Branch count: 6 Document count: 6 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8334,7 +8334,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python process where host.os.type == "windows" and @@ -8472,7 +8472,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-559 +Index: geneve-ut-0559 ```python process where host.os.type == "windows" and @@ -8543,7 +8543,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python library where host.os.type == "windows" and event.action == "load" and @@ -8560,7 +8560,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 1 Document count: 1 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -8572,7 +8572,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8612,7 +8612,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 8 -Index: geneve-ut-568 +Index: geneve-ut-0568 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -8630,7 +8630,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4 Document count: 4 -Index: geneve-ut-570 +Index: geneve-ut-0570 ```python network where process.name : ("http", "https") @@ -8645,7 +8645,7 @@ network where process.name : ("http", "https") Branch count: 2 Document count: 4 -Index: geneve-ut-571 +Index: geneve-ut-0571 ```python sequence by process.entity_id with maxspan=1m @@ -8665,7 +8665,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-572 +Index: geneve-ut-0572 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -8706,7 +8706,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 1 Document count: 1 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python network where host.os.type == "windows" and @@ -8721,7 +8721,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8734,7 +8734,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-580 +Index: geneve-ut-0580 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8749,7 +8749,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8762,7 +8762,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -8779,7 +8779,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 8 Document count: 8 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -8799,7 +8799,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 696 Document count: 696 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python event.category:process and host.os.type:windows and @@ -8992,7 +8992,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -9008,7 +9008,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -9022,7 +9022,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-587 +Index: geneve-ut-0587 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -9039,7 +9039,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -9053,7 +9053,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( @@ -9069,7 +9069,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-591 +Index: geneve-ut-0591 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -9085,7 +9085,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -9097,7 +9097,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -9113,7 +9113,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python sequence by host.id with maxspan=1m @@ -9133,7 +9133,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -9145,7 +9145,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python iam where event.action == "renamed-user-account" and @@ -9159,7 +9159,7 @@ iam where event.action == "renamed-user-account" and Branch count: 1 Document count: 2 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python sequence with maxspan=5s @@ -9179,7 +9179,7 @@ sequence with maxspan=5s Branch count: 18 Document count: 18 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python process where host.os.type == "windows" and event.action == "start" and @@ -9202,7 +9202,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-601 +Index: geneve-ut-0601 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -9222,7 +9222,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9235,7 +9235,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python file where host.os.type == "windows" and @@ -9250,7 +9250,7 @@ file where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python /* Identifies the modification of RDP Shadow registry or @@ -9277,7 +9277,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9292,7 +9292,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python sequence with maxspan=1m @@ -9334,7 +9334,7 @@ sequence with maxspan=1m Branch count: 80 Document count: 80 -Index: geneve-ut-611 +Index: geneve-ut-0611 ```python process where event.type in ("start", "process_started") and @@ -9355,7 +9355,7 @@ process where event.type in ("start", "process_started") and Branch count: 16 Document count: 16 -Index: geneve-ut-612 +Index: geneve-ut-0612 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -9369,7 +9369,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 288 Document count: 576 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python sequence by host.id with maxspan=5s @@ -9389,7 +9389,7 @@ sequence by host.id with maxspan=5s Branch count: 10 Document count: 10 -Index: geneve-ut-617 +Index: geneve-ut-0617 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -9405,7 +9405,7 @@ process.name in ("curl", "wget") and process.args : ( Branch count: 1 Document count: 1 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -9417,7 +9417,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 1 Document count: 1 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -9431,7 +9431,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 32 Document count: 96 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -9459,7 +9459,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-623 +Index: geneve-ut-0623 ```python sequence by host.id with maxspan=1s @@ -9478,7 +9478,7 @@ sequence by host.id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-628 +Index: geneve-ut-0628 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -9491,7 +9491,7 @@ process.name == "sudo" and process.args == "-u#-1" Branch count: 1 Document count: 2 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -9507,7 +9507,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 2 Document count: 2 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and @@ -9521,7 +9521,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python file where event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -9551,7 +9551,7 @@ file.path : ( Branch count: 4 Document count: 4 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and @@ -9564,7 +9564,7 @@ process.name in ("chown", "chmod") and process.args == "-R" and process.args : " Branch count: 2 Document count: 2 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and ( @@ -9580,7 +9580,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 8 Document count: 16 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -9596,7 +9596,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 42 Document count: 42 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -9612,7 +9612,7 @@ process.parent.name in ("screen", "tmux") and process.name : ( Branch count: 21 Document count: 21 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python event.category:process and host.os.type:windows and @@ -9637,7 +9637,7 @@ event.category:process and host.os.type:windows and Branch count: 2 Document count: 2 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python event.category:process and host.os.type:windows and @@ -9655,7 +9655,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python event.category:process and host.os.type:windows and @@ -9678,7 +9678,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-644 +Index: geneve-ut-0644 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -9690,7 +9690,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python event.category:process and host.os.type:windows and @@ -9715,7 +9715,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9731,7 +9731,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-656 +Index: geneve-ut-0656 ```python event.category:process and host.os.type:windows and @@ -9770,7 +9770,7 @@ event.category:process and host.os.type:windows and Branch count: 2 Document count: 2 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9784,7 +9784,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -9798,7 +9798,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -9811,7 +9811,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 4 Document count: 4 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python registry where host.os.type == "windows" and registry.path : ( @@ -9829,7 +9829,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -9846,7 +9846,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9860,7 +9860,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 96 Document count: 96 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -9935,7 +9935,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python sequence by winlog.computer_name with maxspan=1m @@ -9956,7 +9956,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9975,7 +9975,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 66 Document count: 66 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10013,7 +10013,7 @@ process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Wind Branch count: 2 Document count: 2 -Index: geneve-ut-673 +Index: geneve-ut-0673 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -10025,7 +10025,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -10037,7 +10037,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-675 +Index: geneve-ut-0675 ```python process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" @@ -10049,7 +10049,7 @@ process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemote Branch count: 3 Document count: 6 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python sequence by host.id with maxspan=5s @@ -10073,7 +10073,7 @@ sequence by host.id with maxspan=5s Branch count: 2 Document count: 2 -Index: geneve-ut-678 +Index: geneve-ut-0678 ```python process where event.type in ("start", "process_started") and process.name : "* " @@ -10085,7 +10085,7 @@ process where event.type in ("start", "process_started") and process.name : "* Branch count: 1 Document count: 1 -Index: geneve-ut-679 +Index: geneve-ut-0679 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10099,7 +10099,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-680 +Index: geneve-ut-0680 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -10112,7 +10112,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-681 +Index: geneve-ut-0681 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "proxychains" @@ -10124,7 +10124,7 @@ process where host.os.type == "linux" and event.action == "exec" and event.type Branch count: 1 Document count: 2 -Index: geneve-ut-682 +Index: geneve-ut-0682 ```python sequence by process.entity_id @@ -10148,7 +10148,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python registry where host.os.type == "windows" and @@ -10169,7 +10169,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-688 +Index: geneve-ut-0688 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -10181,7 +10181,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-689 +Index: geneve-ut-0689 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -10193,7 +10193,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-692 +Index: geneve-ut-0692 ```python registry where host.os.type == "windows" and @@ -10210,7 +10210,7 @@ registry where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python registry where host.os.type == "windows" and @@ -10232,7 +10232,7 @@ registry where host.os.type == "windows" and Branch count: 18 Document count: 18 -Index: geneve-ut-695 +Index: geneve-ut-0695 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10247,7 +10247,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 8 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python sequence with maxspan=1m @@ -10262,7 +10262,7 @@ sequence with maxspan=1m Branch count: 16 Document count: 16 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10276,7 +10276,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-698 +Index: geneve-ut-0698 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -10297,7 +10297,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10311,7 +10311,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-700 +Index: geneve-ut-0700 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10325,7 +10325,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python sequence by process.entity_id with maxspan=30s @@ -10349,7 +10349,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python sequence by host.id, process.entity_id @@ -10365,7 +10365,7 @@ sequence by host.id, process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python /* Network Logon followed by Scheduled Task creation */ @@ -10385,7 +10385,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-704 +Index: geneve-ut-0704 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -10400,7 +10400,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -10419,7 +10419,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 12 Document count: 12 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10440,7 +10440,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -10482,7 +10482,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python sequence with maxspan=1m @@ -10505,7 +10505,7 @@ sequence with maxspan=1m Branch count: 8 Document count: 16 -Index: geneve-ut-709 +Index: geneve-ut-0709 ```python sequence with maxspan=1s @@ -10552,7 +10552,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-710 +Index: geneve-ut-0710 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10565,7 +10565,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python (event.dataset: (network_traffic.http or network_traffic.tls) or @@ -10612,7 +10612,7 @@ Index: geneve-ut-712 Branch count: 4 Document count: 4 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -10631,7 +10631,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 6 Document count: 6 -Index: geneve-ut-717 +Index: geneve-ut-0717 ```python file where container.id:"*" and @@ -10644,7 +10644,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python process where container.id: "*" and event.type == "start" and @@ -10665,7 +10665,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-719 +Index: geneve-ut-0719 ```python process where container.id: "*" and event.type== "start" and @@ -10679,7 +10679,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 36 Document count: 36 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10697,7 +10697,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-722 +Index: geneve-ut-0722 ```python sequence by host.id with maxspan = 30s @@ -10716,7 +10716,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 4 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python registry where host.os.type == "windows" and @@ -10732,7 +10732,7 @@ registry where host.os.type == "windows" and Branch count: 27 Document count: 27 -Index: geneve-ut-725 +Index: geneve-ut-0725 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -10773,7 +10773,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-726 +Index: geneve-ut-0726 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -10807,7 +10807,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-727 +Index: geneve-ut-0727 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10821,7 +10821,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10835,7 +10835,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 116 Document count: 116 -Index: geneve-ut-729 +Index: geneve-ut-0729 ```python process where event.type == "start" and @@ -10890,7 +10890,7 @@ process.name : "grep" and user.id != "0" and Branch count: 270 Document count: 270 -Index: geneve-ut-732 +Index: geneve-ut-0732 ```python process where container.id: "*" and event.type== "start" and @@ -10933,7 +10933,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python process where container.id: "*" and event.type== "start" and @@ -10957,7 +10957,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -10970,7 +10970,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 16 Document count: 32 -Index: geneve-ut-735 +Index: geneve-ut-0735 ```python sequence by process.entity_id with maxspan = 1m @@ -10987,7 +10987,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -11007,7 +11007,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python sequence by winlog.computer_name with maxspan=5m @@ -11031,7 +11031,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-738 +Index: geneve-ut-0738 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11051,7 +11051,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11074,7 +11074,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-740 +Index: geneve-ut-0740 ```python process where event.type == "start" and @@ -11087,7 +11087,7 @@ process where event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -11100,7 +11100,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" Branch count: 1 Document count: 1 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -11112,7 +11112,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 6 Document count: 12 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python sequence by host.id with maxspan=5s @@ -11126,7 +11126,7 @@ sequence by host.id with maxspan=5s Branch count: 18 Document count: 18 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -11146,7 +11146,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-747 +Index: geneve-ut-0747 ```python process where host.os.type == "windows" and event.type == "start" @@ -11160,7 +11160,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 4 Document count: 4 -Index: geneve-ut-748 +Index: geneve-ut-0748 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -11174,7 +11174,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 28 Document count: 28 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python registry where host.os.type == "windows" and registry.path : ( @@ -11198,7 +11198,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 12 Document count: 24 -Index: geneve-ut-757 +Index: geneve-ut-0757 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -11223,7 +11223,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11256,7 +11256,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -11281,7 +11281,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -11296,7 +11296,7 @@ not group.Ext.real.id : "0" and not user.Ext.real.id : "0" Branch count: 16 Document count: 16 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11310,7 +11310,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-766 +Index: geneve-ut-0766 ```python event.category:process and host.os.type:windows and @@ -11335,7 +11335,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -11347,7 +11347,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 2 Document count: 2 -Index: geneve-ut-768 +Index: geneve-ut-0768 ```python file where host.os.type == "windows" and event.action != "deletion" and file.path != null and @@ -11360,7 +11360,7 @@ file where host.os.type == "windows" and event.action != "deletion" and file.pat Branch count: 2 Document count: 4 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python sequence by host.id with maxspan=30s @@ -11374,7 +11374,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-770 +Index: geneve-ut-0770 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -11404,7 +11404,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-771 +Index: geneve-ut-0771 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -11428,7 +11428,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-772 +Index: geneve-ut-0772 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11442,7 +11442,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-773 +Index: geneve-ut-0773 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -11465,7 +11465,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-774 +Index: geneve-ut-0774 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11479,7 +11479,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 58 Document count: 58 -Index: geneve-ut-775 +Index: geneve-ut-0775 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11673,7 +11673,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -11689,7 +11689,7 @@ not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*n Branch count: 1 Document count: 1 -Index: geneve-ut-777 +Index: geneve-ut-0777 ```python file where host.os.type == "macos" and event.type != "deletion" and process.name != null and @@ -11702,7 +11702,7 @@ file where host.os.type == "macos" and event.type != "deletion" and process.name Branch count: 189 Document count: 189 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python any where host.os.type == "windows" and @@ -11735,7 +11735,7 @@ any where host.os.type == "windows" and Branch count: 44 Document count: 44 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -11771,7 +11771,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11790,7 +11790,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and @@ -11806,7 +11806,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 14 Document count: 14 -Index: geneve-ut-786 +Index: geneve-ut-0786 ```python process where host.os.type == "windows" and event.type : "start" and @@ -11826,7 +11826,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11850,7 +11850,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-791 +Index: geneve-ut-0791 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -11863,7 +11863,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 30 Document count: 30 -Index: geneve-ut-792 +Index: geneve-ut-0792 ```python any where host.os.type == "windows" and @@ -11878,7 +11878,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-793 +Index: geneve-ut-0793 ```python registry where host.os.type == "windows" and registry.path : ( @@ -11895,7 +11895,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 6 Document count: 6 -Index: geneve-ut-795 +Index: geneve-ut-0795 ```python process where container.id: "*" and @@ -11916,7 +11916,7 @@ process.args: "*/*sh" Branch count: 1 Document count: 1 -Index: geneve-ut-797 +Index: geneve-ut-0797 ```python process where host.os.type == "windows" and event.code == "10" and @@ -11935,7 +11935,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 1 Document count: 1 -Index: geneve-ut-798 +Index: geneve-ut-0798 ```python process where host.os.type == "windows" and event.code == "10" and @@ -11970,7 +11970,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 456 Document count: 456 -Index: geneve-ut-799 +Index: geneve-ut-0799 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11990,7 +11990,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 52 Document count: 52 -Index: geneve-ut-800 +Index: geneve-ut-0800 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12011,7 +12011,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 64 Document count: 128 -Index: geneve-ut-801 +Index: geneve-ut-0801 ```python sequence by process.entity_id with maxspan=5m @@ -12034,7 +12034,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 14 Document count: 14 -Index: geneve-ut-804 +Index: geneve-ut-0804 ```python file where host.os.type == "linux" and event.type == "creation" and @@ -12048,7 +12048,7 @@ file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.servic Branch count: 2 Document count: 2 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and @@ -12124,7 +12124,7 @@ library where host.os.type == "windows" and process.executable : "?:\\Windows\\S Branch count: 28 Document count: 28 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python process where container.id: "*" and event.type== "start" and @@ -12141,7 +12141,7 @@ process where container.id: "*" and event.type== "start" and Branch count: 212 Document count: 212 -Index: geneve-ut-809 +Index: geneve-ut-0809 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12165,7 +12165,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-810 +Index: geneve-ut-0810 ```python event.category:process and host.os.type:windows and @@ -12180,7 +12180,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-813 +Index: geneve-ut-0813 ```python file where host.os.type == "windows" and event.type : "deletion" and @@ -12194,7 +12194,7 @@ file where host.os.type == "windows" and event.type : "deletion" and Branch count: 4 Document count: 8 -Index: geneve-ut-814 +Index: geneve-ut-0814 ```python sequence by host.id with maxspan=30s @@ -12218,7 +12218,7 @@ sequence by host.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-815 +Index: geneve-ut-0815 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -12251,7 +12251,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-816 +Index: geneve-ut-0816 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -12270,7 +12270,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12283,7 +12283,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 180 Document count: 180 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python process where event.type == "start" and event.action : ("exec", "exec_event") and @@ -12317,7 +12317,7 @@ not (process.parent.args : "--force" or process.args : ("/usr/games/lolcat", "/u Branch count: 48 Document count: 48 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python any where host.os.type == "windows" and @@ -12345,7 +12345,7 @@ any where host.os.type == "windows" and Branch count: 1 Document count: 2 -Index: geneve-ut-823 +Index: geneve-ut-0823 ```python sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m @@ -12363,7 +12363,7 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= Branch count: 9 Document count: 9 -Index: geneve-ut-824 +Index: geneve-ut-0824 ```python file where host.os.type == "linux" and event.action == "rename" and @@ -12377,7 +12377,7 @@ and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", Branch count: 1 Document count: 1 -Index: geneve-ut-825 +Index: geneve-ut-0825 ```python file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and @@ -12390,7 +12390,7 @@ file.Ext.original.path : "/usr/lib/vmware/*" Branch count: 2 Document count: 4 -Index: geneve-ut-826 +Index: geneve-ut-0826 ```python sequence by process.entity_id with maxspan=2m @@ -12424,7 +12424,7 @@ sequence by process.entity_id with maxspan=2m Branch count: 2 Document count: 2 -Index: geneve-ut-828 +Index: geneve-ut-0828 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12449,7 +12449,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-829 +Index: geneve-ut-0829 ```python registry where host.os.type == "windows" and @@ -12479,7 +12479,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-833 +Index: geneve-ut-0833 ```python process where host.os.type == "linux" and event.type == "end" and process.name : ("vmware-vmx", "vmx") @@ -12492,7 +12492,7 @@ and process.parent.name : "kill" Branch count: 160 Document count: 160 -Index: geneve-ut-834 +Index: geneve-ut-0834 ```python process where host.os.type == "windows" and event.action == "start" and @@ -12516,7 +12516,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 34 Document count: 34 -Index: geneve-ut-835 +Index: geneve-ut-0835 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -12532,7 +12532,7 @@ process.name == "proxychains" and process.args : ( Branch count: 2 Document count: 2 -Index: geneve-ut-836 +Index: geneve-ut-0836 ```python any where event.dataset == "windows.sysmon_operational" and event.code == "21" and @@ -12545,7 +12545,7 @@ any where event.dataset == "windows.sysmon_operational" and event.code == "21" a Branch count: 30 Document count: 30 -Index: geneve-ut-837 +Index: geneve-ut-0837 ```python any where host.os.type == "windows" and @@ -12560,7 +12560,7 @@ any where host.os.type == "windows" and Branch count: 48 Document count: 96 -Index: geneve-ut-838 +Index: geneve-ut-0838 ```python sequence by process.entity_id with maxspan = 2m @@ -12578,7 +12578,7 @@ sequence by process.entity_id with maxspan = 2m Branch count: 1 Document count: 1 -Index: geneve-ut-839 +Index: geneve-ut-0839 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12597,7 +12597,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-840 +Index: geneve-ut-0840 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12610,7 +12610,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 114 Document count: 114 -Index: geneve-ut-841 +Index: geneve-ut-0841 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -12656,7 +12656,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-842 +Index: geneve-ut-0842 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -12674,7 +12674,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 4 Document count: 4 -Index: geneve-ut-844 +Index: geneve-ut-0844 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12690,7 +12690,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 992 Document count: 1984 -Index: geneve-ut-845 +Index: geneve-ut-0845 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -12728,7 +12728,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 5 Document count: 5 -Index: geneve-ut-846 +Index: geneve-ut-0846 ```python process where event.type == "start" and event.action == "exec" and @@ -12741,7 +12741,7 @@ process where event.type == "start" and event.action == "exec" and Branch count: 2 Document count: 2 -Index: geneve-ut-847 +Index: geneve-ut-0847 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12755,7 +12755,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-848 +Index: geneve-ut-0848 ```python file where host.os.type == "linux" and event.type == "deletion" and @@ -12782,7 +12782,7 @@ file where host.os.type == "linux" and event.type == "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-849 +Index: geneve-ut-0849 ```python process where event.type == "start" and @@ -12795,7 +12795,7 @@ process where event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-850 +Index: geneve-ut-0850 ```python process where event.type == "start" and @@ -12808,7 +12808,7 @@ process where event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-851 +Index: geneve-ut-0851 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12827,7 +12827,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-852 +Index: geneve-ut-0852 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12844,7 +12844,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-853 +Index: geneve-ut-0853 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12862,7 +12862,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12875,7 +12875,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-855 +Index: geneve-ut-0855 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and @@ -12888,7 +12888,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 90 Document count: 90 -Index: geneve-ut-857 +Index: geneve-ut-0857 ```python process where event.type in ("start", "process_started") and @@ -12911,7 +12911,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 2 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m @@ -12925,7 +12925,7 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-859 +Index: geneve-ut-0859 ```python file where host.os.type == "windows" and event.type == "deletion" and @@ -12953,7 +12953,7 @@ file where host.os.type == "windows" and event.type == "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-864 +Index: geneve-ut-0864 ```python process where event.type == "start" and @@ -12968,7 +12968,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-865 +Index: geneve-ut-0865 ```python process where event.type : ("start", "process_started") and process.name : "trap" and process.args : "SIG*" @@ -12980,7 +12980,7 @@ process where event.type : ("start", "process_started") and process.name : "tra Branch count: 1 Document count: 1 -Index: geneve-ut-866 +Index: geneve-ut-0866 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12997,7 +12997,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-867 +Index: geneve-ut-0867 ```python file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and @@ -13013,7 +13013,7 @@ file where host.os.type == "windows" and event.type : "change" and process.name Branch count: 2 Document count: 2 -Index: geneve-ut-868 +Index: geneve-ut-0868 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13026,7 +13026,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-869 +Index: geneve-ut-0869 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and @@ -13041,7 +13041,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 1 Document count: 1 -Index: geneve-ut-870 +Index: geneve-ut-0870 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13057,7 +13057,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-871 +Index: geneve-ut-0871 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13072,7 +13072,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-872 +Index: geneve-ut-0872 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13088,7 +13088,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-873 +Index: geneve-ut-0873 ```python event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt @@ -13100,7 +13100,7 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt Branch count: 1 Document count: 1 -Index: geneve-ut-875 +Index: geneve-ut-0875 ```python process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine" @@ -13112,7 +13112,7 @@ process where host.os.type == "macos" and event.type == "start" and process.pare Branch count: 15 Document count: 15 -Index: geneve-ut-876 +Index: geneve-ut-0876 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( @@ -13129,7 +13129,7 @@ process where host.os.type == "linux" and event.action == "exec" and event.type Branch count: 1 Document count: 1 -Index: geneve-ut-877 +Index: geneve-ut-0877 ```python library where dll.name : "Bitsproxy.dll" and process.executable != null and @@ -13142,7 +13142,7 @@ not process.code_signature.trusted == true Branch count: 1 Document count: 1 -Index: geneve-ut-881 +Index: geneve-ut-0881 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -13156,7 +13156,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 1 Document count: 1 -Index: geneve-ut-883 +Index: geneve-ut-0883 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13170,7 +13170,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-884 +Index: geneve-ut-0884 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and @@ -13183,7 +13183,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-885 +Index: geneve-ut-0885 ```python sequence with maxspan=1h @@ -13201,7 +13201,7 @@ sequence with maxspan=1h Branch count: 18 Document count: 18 -Index: geneve-ut-892 +Index: geneve-ut-0892 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13223,7 +13223,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 29 Document count: 29 -Index: geneve-ut-893 +Index: geneve-ut-0893 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -13296,7 +13296,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 6 Document count: 6 -Index: geneve-ut-894 +Index: geneve-ut-0894 ```python file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and @@ -13310,7 +13310,7 @@ file where host.os.type == "windows" and process.name : "dns.exe" and event.type Branch count: 400 Document count: 800 -Index: geneve-ut-907 +Index: geneve-ut-0907 ```python sequence by process.entity_id with maxspan=5m @@ -13372,7 +13372,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 1 Document count: 2 -Index: geneve-ut-908 +Index: geneve-ut-0908 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -13391,7 +13391,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 1 Document count: 2 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -13410,7 +13410,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 32 Document count: 32 -Index: geneve-ut-912 +Index: geneve-ut-0912 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13451,7 +13451,7 @@ process.parent.name != null and Branch count: 8 Document count: 8 -Index: geneve-ut-913 +Index: geneve-ut-0913 ```python registry where host.os.type == "windows" and @@ -13483,7 +13483,7 @@ registry where host.os.type == "windows" and Branch count: 32 Document count: 32 -Index: geneve-ut-914 +Index: geneve-ut-0914 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13506,7 +13506,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-915 +Index: geneve-ut-0915 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13519,7 +13519,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-916 +Index: geneve-ut-0916 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13543,7 +13543,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-917 +Index: geneve-ut-0917 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13573,7 +13573,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 33 Document count: 33 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python process where event.type == "start" and host.os.type == "windows" and @@ -13601,7 +13601,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 144 Document count: 288 -Index: geneve-ut-921 +Index: geneve-ut-0921 ```python sequence by process.entity_id @@ -13638,7 +13638,7 @@ sequence by process.entity_id Branch count: 1 Document count: 20 -Index: geneve-ut-925 +Index: geneve-ut-0925 ```python sequence by host.id, process.parent.entity_id with maxspan=1s @@ -13653,7 +13653,7 @@ sequence by host.id, process.parent.entity_id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-936 +Index: geneve-ut-0936 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13668,7 +13668,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-937 +Index: geneve-ut-0937 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success) @@ -13680,7 +13680,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a Branch count: 2 Document count: 2 -Index: geneve-ut-938 +Index: geneve-ut-0938 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success) @@ -13692,7 +13692,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s Branch count: 8 Document count: 8 -Index: geneve-ut-939 +Index: geneve-ut-0939 ```python iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and @@ -13712,7 +13712,7 @@ iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" a Branch count: 1 Document count: 1 -Index: geneve-ut-940 +Index: geneve-ut-0940 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -13727,7 +13727,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 9 Document count: 9 -Index: geneve-ut-941 +Index: geneve-ut-0941 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and @@ -13773,7 +13773,7 @@ Index: geneve-ut-941 Branch count: 9 Document count: 9 -Index: geneve-ut-942 +Index: geneve-ut-0942 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and @@ -13819,7 +13819,7 @@ Index: geneve-ut-942 Branch count: 10 Document count: 10 -Index: geneve-ut-943 +Index: geneve-ut-0943 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -13837,7 +13837,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-944 +Index: geneve-ut-0944 ```python process where event.type == "start" and @@ -13852,7 +13852,7 @@ process where event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-945 +Index: geneve-ut-0945 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13869,7 +13869,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-946 +Index: geneve-ut-0946 ```python process where host.os.type == "windows" and event.type == "start" @@ -13883,7 +13883,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 60 Document count: 60 -Index: geneve-ut-947 +Index: geneve-ut-0947 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13899,7 +13899,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-948 +Index: geneve-ut-0948 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13913,7 +13913,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-949 +Index: geneve-ut-0949 ```python sequence by host.id with maxspan = 2s @@ -13945,7 +13945,7 @@ sequence by host.id with maxspan = 2s Branch count: 1 Document count: 1 -Index: geneve-ut-950 +Index: geneve-ut-0950 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "wbemtest.exe" @@ -13957,7 +13957,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 3 Document count: 3 -Index: geneve-ut-951 +Index: geneve-ut-0951 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13972,7 +13972,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-952 +Index: geneve-ut-0952 ```python event.action:"Directory Service Access" and event.code:"5136" and @@ -13985,7 +13985,7 @@ event.action:"Directory Service Access" and event.code:"5136" and Branch count: 1 Document count: 1 -Index: geneve-ut-953 +Index: geneve-ut-0953 ```python http.response.status_code:403 and http.request.method:post @@ -13997,7 +13997,7 @@ http.response.status_code:403 and http.request.method:post Branch count: 1 Document count: 1 -Index: geneve-ut-954 +Index: geneve-ut-0954 ```python http.response.status_code:405 @@ -14009,7 +14009,7 @@ http.response.status_code:405 Branch count: 1 Document count: 1 -Index: geneve-ut-955 +Index: geneve-ut-0955 ```python user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" @@ -14021,7 +14021,7 @@ user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" Branch count: 42 Document count: 42 -Index: geneve-ut-956 +Index: geneve-ut-0956 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14035,7 +14035,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-957 +Index: geneve-ut-0957 ```python event.category:process and host.os.type:macos and event.type:start and @@ -14051,7 +14051,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-958 +Index: geneve-ut-0958 ```python file where event.type == "deletion" and @@ -14068,7 +14068,7 @@ file where event.type == "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-959 +Index: geneve-ut-0959 ```python registry where event.type == "change" and @@ -14084,7 +14084,7 @@ registry where event.type == "change" and Branch count: 33 Document count: 33 -Index: geneve-ut-960 +Index: geneve-ut-0960 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "whoami.exe" and @@ -14113,7 +14113,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 36 Document count: 36 -Index: geneve-ut-961 +Index: geneve-ut-0961 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14151,7 +14151,7 @@ and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" Branch count: 24 Document count: 24 -Index: geneve-ut-963 +Index: geneve-ut-0963 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -14184,7 +14184,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 12 Document count: 12 -Index: geneve-ut-964 +Index: geneve-ut-0964 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14199,7 +14199,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-965 +Index: geneve-ut-0965 ```python event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" @@ -14211,7 +14211,7 @@ event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" Branch count: 16 Document count: 16 -Index: geneve-ut-966 +Index: geneve-ut-0966 ```python process where host.os.type == "windows" and event.action == "start" and @@ -14227,7 +14227,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 10 Document count: 20 -Index: geneve-ut-967 +Index: geneve-ut-0967 ```python sequence with maxspan=1m @@ -14252,7 +14252,7 @@ sequence with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-968 +Index: geneve-ut-0968 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14277,7 +14277,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-969 +Index: geneve-ut-0969 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -14298,7 +14298,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-970 +Index: geneve-ut-0970 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14311,7 +14311,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 216 Document count: 432 -Index: geneve-ut-971 +Index: geneve-ut-0971 ```python sequence by host.id with maxspan = 5s @@ -14351,7 +14351,7 @@ sequence by host.id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-972 +Index: geneve-ut-0972 ```python event.action:"service-installed" and @@ -14364,7 +14364,7 @@ event.action:"service-installed" and Branch count: 2 Document count: 2 -Index: geneve-ut-973 +Index: geneve-ut-0973 ```python registry where host.os.type == "windows" and @@ -14379,7 +14379,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-974 +Index: geneve-ut-0974 ```python process where host.os.type == "windows" and event.type : "start" and @@ -14393,7 +14393,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-975 +Index: geneve-ut-0975 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14421,7 +14421,7 @@ process.parent.executable : ( Branch count: 18 Document count: 18 -Index: geneve-ut-976 +Index: geneve-ut-0976 ```python process where event.type == "start" and @@ -14446,7 +14446,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-977 +Index: geneve-ut-0977 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14460,7 +14460,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-978 +Index: geneve-ut-0978 ```python event.type:creation and event.module:zoom and event.dataset:zoom.webhook and diff --git a/tests/reports/alerts_from_rules-8.9.md b/tests/reports/alerts_from_rules-8.9.md index 3f6655d2..eb004710 100644 --- a/tests/reports/alerts_from_rules-8.9.md +++ b/tests/reports/alerts_from_rules-8.9.md @@ -19,7 +19,7 @@ Rules version: 8.9.15 Branch count: 4608 Document count: 13824 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python sequence by host.id, user.id with maxspan=1m @@ -40,7 +40,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -59,7 +59,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-577 +Index: geneve-ut-0577 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -78,7 +78,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 3510 Document count: 3510 -Index: geneve-ut-644 +Index: geneve-ut-0644 ```python process where host.os.type == "linux" and event.type == "start" and @@ -104,7 +104,7 @@ not process.name == "phpquery" Branch count: 2048 Document count: 22528 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -121,7 +121,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 4608 Document count: 4608 -Index: geneve-ut-839 +Index: geneve-ut-0839 ```python process where host.os.type == "windows" and event.type == "start" and @@ -170,7 +170,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1836 Document count: 1836 -Index: geneve-ut-891 +Index: geneve-ut-0891 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -202,7 +202,7 @@ event.type == "start" and process.name == "ln" and process.args in ("-s", "-sf") Branch count: 2 Document count: 2 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -215,7 +215,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -230,7 +230,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4608 Document count: 13824 -Index: geneve-ut-262 +Index: geneve-ut-0262 Failure message(s): got 1000 signals, expected 4608 @@ -253,7 +253,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-573 +Index: geneve-ut-0573 Failure message(s): got 1000 signals, expected 1024 @@ -274,7 +274,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-577 +Index: geneve-ut-0577 Failure message(s): got 1000 signals, expected 1024 @@ -295,7 +295,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 3510 Document count: 3510 -Index: geneve-ut-644 +Index: geneve-ut-0644 Failure message(s): got 1000 signals, expected 3510 @@ -323,7 +323,7 @@ not process.name == "phpquery" Branch count: 2048 Document count: 22528 -Index: geneve-ut-666 +Index: geneve-ut-0666 Failure message(s): got 1000 signals, expected 2048 @@ -342,7 +342,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 4608 Document count: 4608 -Index: geneve-ut-839 +Index: geneve-ut-0839 Failure message(s): got 1000 signals, expected 4608 @@ -393,7 +393,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 22 -Index: geneve-ut-867 +Index: geneve-ut-0867 Failure message(s): got 8 signals, expected 11 @@ -414,7 +414,7 @@ sequence by host.id with maxspan=5s Branch count: 1836 Document count: 1836 -Index: geneve-ut-891 +Index: geneve-ut-0891 Failure message(s): got 1000 signals, expected 1836 @@ -448,7 +448,7 @@ event.type == "start" and process.name == "ln" and process.args in ("-s", "-sf") Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -475,7 +475,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -505,7 +505,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 1 Document count: 1 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -517,7 +517,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-003 +Index: geneve-ut-0003 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success @@ -529,7 +529,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-0004 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -541,7 +541,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-0005 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -553,7 +553,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-0006 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -565,7 +565,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-0007 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -577,7 +577,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -589,7 +589,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -604,7 +604,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -616,7 +616,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python process where event.module == "cloud_defend" and @@ -633,7 +633,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -646,7 +646,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -658,7 +658,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -672,7 +672,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -684,7 +684,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -696,7 +696,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -708,7 +708,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -720,7 +720,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-019 +Index: geneve-ut-0019 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -733,7 +733,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-020 +Index: geneve-ut-0020 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -746,7 +746,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-021 +Index: geneve-ut-0021 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -760,7 +760,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -773,7 +773,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success @@ -785,7 +785,7 @@ event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -797,7 +797,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-025 +Index: geneve-ut-0025 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -809,7 +809,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-027 +Index: geneve-ut-0027 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -821,7 +821,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -833,7 +833,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -845,7 +845,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -857,7 +857,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -869,7 +869,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -881,7 +881,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -893,7 +893,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -905,7 +905,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -917,7 +917,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -929,7 +929,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-038 +Index: geneve-ut-0038 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -941,7 +941,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-039 +Index: geneve-ut-0039 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -953,7 +953,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-040 +Index: geneve-ut-0040 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -965,7 +965,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and @@ -978,7 +978,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-042 +Index: geneve-ut-0042 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -990,7 +990,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-043 +Index: geneve-ut-0043 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -1005,7 +1005,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-044 +Index: geneve-ut-0044 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -1017,7 +1017,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-045 +Index: geneve-ut-0045 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -1029,7 +1029,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1042,7 +1042,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1055,7 +1055,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1068,7 +1068,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1083,7 +1083,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 4 Document count: 4 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or @@ -1096,7 +1096,7 @@ UpdateSAMLProvider) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1109,7 +1109,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 6 Document count: 6 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or @@ -1123,7 +1123,7 @@ RevokeSecurityGroupIngress) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and @@ -1136,7 +1136,7 @@ aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event. Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1148,7 +1148,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-055 +Index: geneve-ut-0055 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1160,7 +1160,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1172,7 +1172,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1188,7 +1188,7 @@ Index: geneve-ut-059 Branch count: 52 Document count: 52 -Index: geneve-ut-060 +Index: geneve-ut-0060 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1217,7 +1217,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1255,7 +1255,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python any where event.action == "Directory Service Access" and event.code == "4662" and @@ -1290,7 +1290,7 @@ any where event.action == "Directory Service Access" and event.code == "4662" an Branch count: 2 Document count: 2 -Index: geneve-ut-063 +Index: geneve-ut-0063 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1303,7 +1303,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-065 +Index: geneve-ut-0065 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1323,7 +1323,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-066 +Index: geneve-ut-0066 ```python sequence by winlog.computer_name with maxspan=1m @@ -1351,7 +1351,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 12 Document count: 12 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python process where event.type== "start" and event.action == "exec" and @@ -1369,7 +1369,7 @@ process where event.type== "start" and event.action == "exec" and Branch count: 36 Document count: 36 -Index: geneve-ut-068 +Index: geneve-ut-0068 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1389,7 +1389,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1403,7 +1403,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -1416,7 +1416,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 1 Document count: 1 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1428,7 +1428,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-073 +Index: geneve-ut-0073 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1440,7 +1440,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1455,7 +1455,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1467,7 +1467,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 1 Document count: 1 -Index: geneve-ut-076 +Index: geneve-ut-0076 ```python event.agent_id_status:agent_id_mismatch @@ -1479,7 +1479,7 @@ event.agent_id_status:agent_id_mismatch Branch count: 1 Document count: 2 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1498,7 +1498,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-083 +Index: geneve-ut-0083 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1511,7 +1511,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-084 +Index: geneve-ut-0084 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1523,7 +1523,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-085 +Index: geneve-ut-0085 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1538,7 +1538,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 1 Document count: 1 -Index: geneve-ut-087 +Index: geneve-ut-0087 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1550,7 +1550,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 3 Document count: 3 -Index: geneve-ut-088 +Index: geneve-ut-0088 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and @@ -1563,7 +1563,7 @@ event.type == "start" and process.name == "dmesg" and process.args : "-c" Branch count: 1 Document count: 1 -Index: geneve-ut-089 +Index: geneve-ut-0089 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1575,7 +1575,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-090 +Index: geneve-ut-0090 ```python event.dataset:okta.system and event.action:user.mfa.factor.deactivate @@ -1587,7 +1587,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-091 +Index: geneve-ut-0091 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1599,7 +1599,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-092 +Index: geneve-ut-0092 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1611,7 +1611,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-093 +Index: geneve-ut-0093 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1623,7 +1623,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-094 +Index: geneve-ut-0094 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1635,7 +1635,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-095 +Index: geneve-ut-0095 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1647,7 +1647,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.dataset:okta.system and event.action:zone.delete @@ -1659,7 +1659,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-097 +Index: geneve-ut-0097 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -1671,7 +1671,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-098 +Index: geneve-ut-0098 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -1683,7 +1683,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 2 Document count: 2 -Index: geneve-ut-099 +Index: geneve-ut-0099 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1696,7 +1696,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 34 Document count: 34 -Index: geneve-ut-100 +Index: geneve-ut-0100 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -1723,7 +1723,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-101 +Index: geneve-ut-0101 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -1739,7 +1739,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-102 +Index: geneve-ut-0102 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1752,7 +1752,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1771,7 +1771,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1786,7 +1786,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -1798,7 +1798,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-106 +Index: geneve-ut-0106 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -1810,7 +1810,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-107 +Index: geneve-ut-0107 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -1822,7 +1822,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -1834,7 +1834,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1853,7 +1853,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1871,7 +1871,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -1883,7 +1883,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -1895,7 +1895,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-113 +Index: geneve-ut-0113 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1908,7 +1908,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -1920,7 +1920,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 3 Document count: 3 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1950,7 +1950,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -1965,7 +1965,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -1979,7 +1979,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python event.dataset:azure.signinlogs and @@ -1993,7 +1993,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.dataset:azure.signinlogs and @@ -2006,7 +2006,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-122 +Index: geneve-ut-0122 ```python event.dataset:azure.signinlogs and @@ -2020,7 +2020,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -2033,7 +2033,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -2045,7 +2045,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -2057,7 +2057,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.dataset:azure.activitylogs and @@ -2076,7 +2076,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.dataset:azure.activitylogs and @@ -2090,7 +2090,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-128 +Index: geneve-ut-0128 ```python event.dataset:azure.activitylogs and @@ -2108,7 +2108,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-129 +Index: geneve-ut-0129 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2120,7 +2120,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-130 +Index: geneve-ut-0130 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2135,7 +2135,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-131 +Index: geneve-ut-0131 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2147,7 +2147,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-132 +Index: geneve-ut-0132 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2160,7 +2160,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-133 +Index: geneve-ut-0133 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2172,7 +2172,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2184,7 +2184,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2196,7 +2196,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -2208,7 +2208,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 2 Document count: 2 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2220,7 +2220,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-138 +Index: geneve-ut-0138 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2232,7 +2232,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2250,7 +2250,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2266,7 +2266,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2278,7 +2278,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2291,7 +2291,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2304,7 +2304,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2319,7 +2319,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2331,7 +2331,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2343,7 +2343,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2355,7 +2355,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2367,7 +2367,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2379,7 +2379,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2391,7 +2391,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2409,7 +2409,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" @@ -2421,7 +2421,7 @@ process where host.os.type == "linux" and event.type != "end" and process.execut Branch count: 8 Document count: 8 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where host.os.type == "linux" and event.type in ("start", "process_started") and @@ -2434,7 +2434,7 @@ process.name in ("base16", "base32", "base32plain", "base32hex") and not process Branch count: 9 Document count: 9 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python event.category:file and event.type:change and @@ -2459,7 +2459,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2474,7 +2474,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2489,7 +2489,7 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ Branch count: 13 Document count: 13 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2511,7 +2511,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python file where event.action : "creation" and @@ -2535,7 +2535,7 @@ file where event.action : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2553,7 +2553,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2571,7 +2571,7 @@ not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") Branch count: 24 Document count: 24 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2587,7 +2587,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2609,7 +2609,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2623,7 +2623,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-165 +Index: geneve-ut-0165 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -2640,7 +2640,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 12 Document count: 12 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -2660,7 +2660,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python sequence by process.entity_id @@ -2683,7 +2683,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2700,7 +2700,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-170 +Index: geneve-ut-0170 ```python library where @@ -2729,7 +2729,7 @@ library where Branch count: 24 Document count: 24 -Index: geneve-ut-172 +Index: geneve-ut-0172 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -2754,7 +2754,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python sequence by process.entity_id @@ -2774,7 +2774,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python sequence by process.entity_id @@ -2794,7 +2794,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python process where container.id: "*" and event.type== "start" @@ -2807,7 +2807,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.kind:alert and event.module:cloud_defend @@ -2819,7 +2819,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 24 Document count: 24 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2845,7 +2845,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -2865,7 +2865,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -2878,7 +2878,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and @@ -2891,7 +2891,7 @@ not process.name == "dockerd" Branch count: 2 Document count: 2 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python file where event.type in ("change", "creation") and host.os.type == "linux" and @@ -2905,7 +2905,7 @@ not process.name : ("dpkg", "systemd", "falcon-sensor*", "dnf", "yum", "rpm") Branch count: 1 Document count: 1 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -2919,7 +2919,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python registry where host.os.type == "windows" and registry.path : ( @@ -2934,7 +2934,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -2946,7 +2946,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 16 Document count: 16 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -2989,7 +2989,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 2 Document count: 2 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -3004,7 +3004,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 8 Document count: 8 -Index: geneve-ut-189 +Index: geneve-ut-0189 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3019,7 +3019,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-190 +Index: geneve-ut-0190 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3031,7 +3031,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3043,7 +3043,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3055,7 +3055,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3067,7 +3067,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -3079,7 +3079,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python event.dataset:cyberarkpas.audit and @@ -3094,7 +3094,7 @@ event.dataset:cyberarkpas.audit and Branch count: 4 Document count: 4 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -3112,7 +3112,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 9 Document count: 9 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -3127,7 +3127,7 @@ Index: geneve-ut-199 Branch count: 2 Document count: 2 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3141,7 +3141,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3155,7 +3155,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3177,7 +3177,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3194,7 +3194,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3216,7 +3216,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3230,7 +3230,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python process where event.type : ("start", "process_started") and host.os.type == "linux" and @@ -3245,7 +3245,7 @@ process where event.type : ("start", "process_started") and host.os.type == "li Branch count: 1 Document count: 1 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3257,7 +3257,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3270,7 +3270,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3282,7 +3282,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 10 Document count: 20 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python sequence by process.entity_id with maxspan=1m @@ -3300,7 +3300,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 3 Document count: 3 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python process where host.os.type == "linux" and event.type == "start" and process.name : "find" and @@ -3313,7 +3313,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 27 Document count: 27 -Index: geneve-ut-217 +Index: geneve-ut-0217 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3327,7 +3327,7 @@ process.args in ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", Branch count: 9 Document count: 9 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed") @@ -3340,7 +3340,7 @@ and process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmw Branch count: 2 Document count: 2 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -3352,7 +3352,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 201 Document count: 201 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python process where @@ -3383,7 +3383,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-221 +Index: geneve-ut-0221 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3396,7 +3396,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3410,7 +3410,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python registry where host.os.type == "windows" and @@ -3424,7 +3424,7 @@ registry where host.os.type == "windows" and Branch count: 14 Document count: 14 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3455,7 +3455,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -3467,7 +3467,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 2 Document count: 2 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3481,7 +3481,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3500,7 +3500,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-229 +Index: geneve-ut-0229 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3527,7 +3527,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 46 Document count: 46 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -3557,7 +3557,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python event.category:process and host.os.type:windows and @@ -3577,7 +3577,7 @@ event.category:process and host.os.type:windows and Branch count: 64 Document count: 64 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -3605,7 +3605,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-237 +Index: geneve-ut-0237 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and @@ -3618,7 +3618,7 @@ process.name : ("kworker*", "kthread*") and process.executable != null Branch count: 4 Document count: 8 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python sequence by process.entity_id with maxspan=5m @@ -3638,7 +3638,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 2 Document count: 2 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3657,7 +3657,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 48 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python sequence with maxspan=2h @@ -3682,7 +3682,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python sequence with maxspan=2h @@ -3707,7 +3707,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -3736,7 +3736,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -3748,7 +3748,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -3771,7 +3771,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python sequence by user.id with maxspan=5s @@ -3786,7 +3786,7 @@ sequence by user.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -3798,7 +3798,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 2 Document count: 2 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python process where host.os.type == "windows" and event.type : "start" and @@ -3820,7 +3820,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -3832,7 +3832,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -3846,7 +3846,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -3859,7 +3859,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3871,7 +3871,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3883,7 +3883,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3897,7 +3897,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -3909,7 +3909,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 19 Document count: 19 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3960,7 +3960,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 1 -Index: geneve-ut-261 +Index: geneve-ut-0261 ```python file where host.os.type == "windows" and event.code : "2" and @@ -3992,7 +3992,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 4 Document count: 4 -Index: geneve-ut-263 +Index: geneve-ut-0263 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( @@ -4006,7 +4006,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 20 Document count: 20 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -4022,7 +4022,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -4037,7 +4037,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 375 Document count: 750 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python sequence by process.entity_id @@ -4064,7 +4064,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-268 +Index: geneve-ut-0268 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4082,7 +4082,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-269 +Index: geneve-ut-0269 ```python process where host.os.type == "linux" and event.type == "start" and user.id == "0" and @@ -4097,7 +4097,7 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " Branch count: 11 Document count: 11 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4123,7 +4123,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4149,7 +4149,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python event.dataset: google_workspace.alert @@ -4161,7 +4161,7 @@ event.dataset: google_workspace.alert Branch count: 4 Document count: 4 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" and @@ -4175,7 +4175,7 @@ registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Mi Branch count: 2 Document count: 2 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4187,7 +4187,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4199,7 +4199,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4211,7 +4211,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4223,7 +4223,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -4235,7 +4235,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -4247,7 +4247,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -4259,7 +4259,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -4271,7 +4271,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -4283,7 +4283,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-300 +Index: geneve-ut-0300 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -4295,7 +4295,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -4307,7 +4307,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-302 +Index: geneve-ut-0302 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -4319,7 +4319,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-303 +Index: geneve-ut-0303 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -4331,7 +4331,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-304 +Index: geneve-ut-0304 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -4343,7 +4343,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -4355,7 +4355,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -4367,7 +4367,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -4379,7 +4379,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-308 +Index: geneve-ut-0308 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -4391,7 +4391,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -4403,7 +4403,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -4415,7 +4415,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-311 +Index: geneve-ut-0311 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -4427,7 +4427,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -4439,7 +4439,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -4451,7 +4451,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" @@ -4463,7 +4463,7 @@ configuration where event.dataset == "github.audit" and github.category == "inte Branch count: 1 Document count: 1 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -4475,7 +4475,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" @@ -4487,7 +4487,7 @@ configuration where event.dataset == "github.audit" and event.action == "persona Branch count: 1 Document count: 1 -Index: geneve-ut-317 +Index: geneve-ut-0317 ```python configuration where event.dataset == "github.audit" @@ -4500,7 +4500,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python configuration where event.dataset == "github.audit" and event.action == "repo.create" @@ -4512,7 +4512,7 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr Branch count: 1 Document count: 1 -Index: geneve-ut-319 +Index: geneve-ut-0319 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -4524,7 +4524,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python configuration where event.dataset == "github.audit" and event.action == "org.block_user" @@ -4536,7 +4536,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.blo Branch count: 1 Document count: 1 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -4549,7 +4549,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -4561,7 +4561,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS @@ -4573,7 +4573,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -4586,7 +4586,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -4598,7 +4598,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4611,7 +4611,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -4623,7 +4623,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -4636,7 +4636,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -4653,7 +4653,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -4667,7 +4667,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-332 +Index: geneve-ut-0332 ```python sequence by source.user.email with maxspan=3m @@ -4691,7 +4691,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-333 +Index: geneve-ut-0333 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -4712,7 +4712,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-334 +Index: geneve-ut-0334 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4726,7 +4726,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -4738,7 +4738,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -4750,7 +4750,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -4763,7 +4763,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4776,7 +4776,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python file where event.type : "creation" and process.name : "chflags" @@ -4788,7 +4788,7 @@ file where event.type : "creation" and process.name : "chflags" Branch count: 1 Document count: 2 -Index: geneve-ut-349 +Index: geneve-ut-0349 ```python sequence by process.entity_id with maxspan=5m @@ -4805,7 +4805,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-350 +Index: geneve-ut-0350 ```python any where @@ -4834,7 +4834,7 @@ any where Branch count: 3 Document count: 3 -Index: geneve-ut-351 +Index: geneve-ut-0351 ```python process where host.os.type == "linux" and event.type == "start" @@ -4847,7 +4847,7 @@ and process.name in ("hping", "hping2", "hping3") Branch count: 2 Document count: 2 -Index: geneve-ut-352 +Index: geneve-ut-0352 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4862,7 +4862,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-353 +Index: geneve-ut-0353 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -4874,7 +4874,7 @@ Index: geneve-ut-353 Branch count: 8 Document count: 8 -Index: geneve-ut-356 +Index: geneve-ut-0356 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4891,7 +4891,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-358 +Index: geneve-ut-0358 ```python sequence with maxspan=1m @@ -4910,7 +4910,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-359 +Index: geneve-ut-0359 ```python sequence by host.id with maxspan=1m @@ -4928,7 +4928,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-360 +Index: geneve-ut-0360 ```python sequence by host.id with maxspan=5s @@ -4947,7 +4947,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-361 +Index: geneve-ut-0361 ```python sequence by host.id with maxspan = 30s @@ -4963,7 +4963,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-362 +Index: geneve-ut-0362 ```python sequence by host.id with maxspan=30s @@ -4979,7 +4979,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-363 +Index: geneve-ut-0363 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4992,7 +4992,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-365 +Index: geneve-ut-0365 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5005,7 +5005,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-366 +Index: geneve-ut-0366 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -5021,7 +5021,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-367 +Index: geneve-ut-0367 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5040,7 +5040,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 4 Document count: 4 -Index: geneve-ut-368 +Index: geneve-ut-0368 ```python registry where host.os.type == "windows" and @@ -5059,7 +5059,7 @@ registry where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python process where container.id : "*" and event.type== "start" and @@ -5080,7 +5080,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -5093,7 +5093,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -5111,7 +5111,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 1 Document count: 1 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python event.action:modified-user-account and event.code:4738 and @@ -5124,7 +5124,7 @@ event.action:modified-user-account and event.code:4738 and Branch count: 2 Document count: 2 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -5138,7 +5138,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -5197,7 +5197,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -5210,7 +5210,7 @@ auditd.data.syscall in ("init_module", "finit_module") Branch count: 2 Document count: 2 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -5223,7 +5223,7 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" Branch count: 6 Document count: 6 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and @@ -5236,7 +5236,7 @@ process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") Branch count: 1 Document count: 1 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" @@ -5249,7 +5249,7 @@ and not process.parent.name in ("cisco-amp-helper", "ksplice-apply") Branch count: 22 Document count: 22 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and @@ -5263,7 +5263,7 @@ process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh Branch count: 16 Document count: 16 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python process where host.os.type == "macos" and event.type == "start" and @@ -5278,7 +5278,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -5290,7 +5290,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python event.dataset:kubernetes.audit_logs @@ -5305,7 +5305,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset: "kubernetes.audit_logs" @@ -5319,7 +5319,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python event.dataset : "kubernetes.audit_logs" @@ -5335,7 +5335,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.dataset : "kubernetes.audit_logs" @@ -5352,7 +5352,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python event.dataset : "kubernetes.audit_logs" @@ -5369,7 +5369,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.dataset : "kubernetes.audit_logs" @@ -5386,7 +5386,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.dataset : "kubernetes.audit_logs" @@ -5419,7 +5419,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.dataset : "kubernetes.audit_logs" @@ -5436,7 +5436,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python event.dataset : "kubernetes.audit_logs" @@ -5453,7 +5453,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python event.dataset : "kubernetes.audit_logs" @@ -5470,7 +5470,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python event.dataset : "kubernetes.audit_logs" @@ -5486,7 +5486,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -5519,7 +5519,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python any where event.action == "File System" and event.code == "4656" and @@ -5554,7 +5554,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python api where host.os.type == "windows" and @@ -5608,7 +5608,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5626,7 +5626,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python sequence by host.id with maxspan=1m @@ -5642,7 +5642,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python sequence by host.id with maxspan=1m @@ -5656,7 +5656,7 @@ sequence by host.id with maxspan=1m Branch count: 609 Document count: 609 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python process where host.os.type == "linux" and event.type == "start" and @@ -5718,7 +5718,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-404 +Index: geneve-ut-0404 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -5733,7 +5733,7 @@ process.args != "1" Branch count: 16 Document count: 16 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python process where event.type == "start" and @@ -5750,7 +5750,7 @@ process where event.type == "start" and Branch count: 60 Document count: 60 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python process where host.os.type == "linux" and event.type == "start" and @@ -5770,7 +5770,7 @@ process.args in ("root", "admin", "wheel", "staff", "sudo", Branch count: 4 Document count: 4 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python registry where host.os.type == "windows" and registry.path : ( @@ -5785,7 +5785,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 600 Document count: 1200 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python sequence with maxspan=1m @@ -5810,7 +5810,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -5822,7 +5822,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 96 Document count: 96 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5846,7 +5846,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 48 Document count: 96 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python sequence by host.id, user.id with maxspan=30s @@ -5860,7 +5860,7 @@ sequence by host.id, user.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com @@ -5872,7 +5872,7 @@ ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.c Branch count: 1 Document count: 1 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com @@ -5884,7 +5884,7 @@ ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmclo Branch count: 2 Document count: 2 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") @@ -5896,7 +5896,7 @@ process where (problemchild.prediction == 1 or blocklist_label == 1) and not pro Branch count: 2 Document count: 2 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -5908,7 +5908,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -5920,7 +5920,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-422 +Index: geneve-ut-0422 ```python configuration where event.dataset == "github.audit" and event.action == "org.remove_member" @@ -5932,7 +5932,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.rem Branch count: 1 Document count: 1 -Index: geneve-ut-424 +Index: geneve-ut-0424 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -5944,7 +5944,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -5956,7 +5956,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -5968,7 +5968,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-427 +Index: geneve-ut-0427 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -5980,7 +5980,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-428 +Index: geneve-ut-0428 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -5992,7 +5992,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-429 +Index: geneve-ut-0429 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -6004,7 +6004,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-430 +Index: geneve-ut-0430 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -6016,7 +6016,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-431 +Index: geneve-ut-0431 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -6028,7 +6028,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-432 +Index: geneve-ut-0432 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -6040,7 +6040,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-433 +Index: geneve-ut-0433 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -6052,7 +6052,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-434 +Index: geneve-ut-0434 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -6064,7 +6064,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -6077,7 +6077,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -6096,7 +6096,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -6108,7 +6108,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -6123,7 +6123,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -6137,7 +6137,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-440 +Index: geneve-ut-0440 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -6151,7 +6151,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-441 +Index: geneve-ut-0441 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -6163,7 +6163,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-442 +Index: geneve-ut-0442 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -6175,7 +6175,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6189,7 +6189,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6210,7 +6210,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6224,7 +6224,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6247,7 +6247,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -6272,7 +6272,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python event.category: "process" and host.os.type:windows and @@ -6296,7 +6296,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-451 +Index: geneve-ut-0451 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6311,7 +6311,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6325,7 +6325,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6339,7 +6339,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 30 Document count: 30 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6379,7 +6379,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 1 Document count: 1 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -6391,7 +6391,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 12 Document count: 12 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6409,7 +6409,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 4 Document count: 4 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6426,7 +6426,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -6438,7 +6438,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 1 Document count: 1 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python event.category:process and host.os.type:macos and event.type:start and @@ -6463,7 +6463,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python event.category:file and host.os.type:linux and event.type:change and @@ -6482,7 +6482,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python event.category:process and host.os.type:macos and event.type:start and @@ -6504,7 +6504,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 16 Document count: 16 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python registry where host.os.type == "windows" and event.type : ("creation", "change") and @@ -6521,7 +6521,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") Branch count: 1 Document count: 1 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -6535,7 +6535,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 2 Document count: 2 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -6547,7 +6547,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 1 Document count: 1 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6561,7 +6561,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6580,7 +6580,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python sequence by process.entity_id @@ -6596,7 +6596,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python sequence by process.entity_id with maxspan=10m @@ -6614,7 +6614,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -6626,7 +6626,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -6652,7 +6652,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -6678,7 +6678,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -6702,7 +6702,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 210 Document count: 210 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6721,7 +6721,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -6736,7 +6736,7 @@ not process.args : "/usr/bin/snap" Branch count: 560 Document count: 560 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python process where container.id: "*" and event.type== "start" @@ -6759,7 +6759,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 5 Document count: 5 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -6774,7 +6774,7 @@ process.name == "rlwrap" and process.args in ( Branch count: 2 Document count: 2 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python registry where event.type == "change" and @@ -6790,7 +6790,7 @@ registry where event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -6813,7 +6813,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -6831,7 +6831,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python sequence by process.entity_id @@ -6851,7 +6851,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python sequence by process.entity_id @@ -6870,7 +6870,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python sequence by host.id with maxspan=1m @@ -6888,7 +6888,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python sequence by process.entity_id @@ -6913,7 +6913,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-490 +Index: geneve-ut-0490 ```python sequence by process.entity_id @@ -6935,7 +6935,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python registry where host.os.type == "windows" and registry.data.strings : "?*" and @@ -6964,7 +6964,7 @@ registry where host.os.type == "windows" and registry.data.strings : "?*" and Branch count: 2 Document count: 2 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -6980,7 +6980,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6993,7 +6993,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -7005,7 +7005,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -7017,7 +7017,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 1 Document count: 1 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python configuration where event.dataset == "github.audit" and event.action == "org.add_member" @@ -7029,7 +7029,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.add Branch count: 6 Document count: 6 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -7043,7 +7043,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-501 +Index: geneve-ut-0501 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "nping" @@ -7055,7 +7055,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 1 Document count: 1 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -7067,7 +7067,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -7081,7 +7081,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -7093,7 +7093,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-507 +Index: geneve-ut-0507 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -7106,7 +7106,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-509 +Index: geneve-ut-0509 ```python event.dataset:okta.system and event.category:authentication and @@ -7119,7 +7119,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 2 Document count: 2 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -7131,7 +7131,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -7143,7 +7143,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-512 +Index: geneve-ut-0512 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -7155,7 +7155,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 36 Document count: 72 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -7170,7 +7170,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-515 +Index: geneve-ut-0515 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7184,7 +7184,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -7196,7 +7196,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -7208,7 +7208,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7226,7 +7226,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -7239,7 +7239,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -7253,7 +7253,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 66 Document count: 132 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python sequence by host.id with maxspan=5s @@ -7269,7 +7269,7 @@ sequence by host.id with maxspan=5s Branch count: 12 Document count: 12 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python /* Registry Path ends with backslash */ @@ -7294,7 +7294,7 @@ registry where host.os.type == "windows" and /* length(registry.data.strings) > Branch count: 32 Document count: 32 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -7320,7 +7320,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python process where host.os.type == "macos" and event.type == "start" and @@ -7340,7 +7340,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7359,7 +7359,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7372,7 +7372,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7388,7 +7388,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7414,7 +7414,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7433,7 +7433,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-530 +Index: geneve-ut-0530 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7461,7 +7461,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-531 +Index: geneve-ut-0531 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7476,7 +7476,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python registry where host.os.type == "windows" and @@ -7539,7 +7539,7 @@ registry where host.os.type == "windows" and Branch count: 7 Document count: 7 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and @@ -7562,7 +7562,7 @@ file where host.os.type == "windows" and event.type != "deletion" and user.domai Branch count: 2 Document count: 2 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python registry where host.os.type == "windows" and registry.path : ( @@ -7577,7 +7577,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -7595,7 +7595,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -7607,7 +7607,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 1 Document count: 3 -Index: geneve-ut-538 +Index: geneve-ut-0538 ```python sequence by user.email with maxspan=10m @@ -7622,7 +7622,7 @@ sequence by user.email with maxspan=10m Branch count: 16 Document count: 16 -Index: geneve-ut-539 +Index: geneve-ut-0539 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -7635,7 +7635,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -7649,7 +7649,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 16 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python sequence by host.id, process.parent.entity_id with maxspan=5m @@ -7666,7 +7666,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and @@ -7682,7 +7682,7 @@ event.type == "start" and user.name == "postgres" and ( Branch count: 2 Document count: 6 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python sequence by host.id, user.name with maxspan = 5s @@ -7711,7 +7711,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -7724,7 +7724,7 @@ event.type == "change" and file.name : "notify_on_release" Branch count: 1 Document count: 1 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -7737,7 +7737,7 @@ event.type == "change" and file.name : "release_agent" Branch count: 63 Document count: 63 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python process where event.type in ("start", "process_started", "info") and @@ -7761,7 +7761,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 12 Document count: 12 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python any where event.action : ("Directory Service Access", "object-operation-performed") and @@ -7796,7 +7796,7 @@ any where event.action : ("Directory Service Access", "object-operation-performe Branch count: 1 Document count: 1 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python process where host.os.type == "windows" and event.code == "10" and @@ -7814,7 +7814,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python process where host.os.type == "windows" and event.code == "10" and @@ -7837,7 +7837,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -7890,7 +7890,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python sequence by process.entity_id with maxspan=1m @@ -7908,7 +7908,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-554 +Index: geneve-ut-0554 ```python sequence by process.entity_id @@ -7923,7 +7923,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python any where processor.name == "transaction" and @@ -7937,7 +7937,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7958,7 +7958,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-559 +Index: geneve-ut-0559 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7979,7 +7979,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7992,7 +7992,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and process.parent.name == "proot" @@ -8004,7 +8004,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 6 Document count: 6 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and event.type == "start" @@ -8020,7 +8020,7 @@ and ( Branch count: 2 Document count: 2 -Index: geneve-ut-568 +Index: geneve-ut-0568 ```python process where host.os.type == "linux" and event.type in ("start", "process_started") and @@ -8033,7 +8033,7 @@ process.name == "setenforce" and process.args == "0" Branch count: 2 Document count: 4 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python sequence by process.entity_id with maxspan=3m @@ -8057,7 +8057,7 @@ sequence by process.entity_id with maxspan=3m Branch count: 6 Document count: 6 -Index: geneve-ut-570 +Index: geneve-ut-0570 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8082,7 +8082,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8095,7 +8095,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-575 +Index: geneve-ut-0575 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8108,7 +8108,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 3 Document count: 3 -Index: geneve-ut-576 +Index: geneve-ut-0576 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and event.type == "start" @@ -8121,7 +8121,7 @@ and process.name == "mount" and process.args == "/proc" and process.args == "-o" Branch count: 60 Document count: 120 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python sequence by host.id with maxspan=1m @@ -8157,7 +8157,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-580 +Index: geneve-ut-0580 ```python event.category:process and host.os.type:macos and event.type:start and @@ -8170,7 +8170,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8188,7 +8188,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -8202,7 +8202,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python sequence by host.id with maxspan=30s @@ -8221,7 +8221,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python process where host.os.type == "linux" and event.type == "start" and @@ -8235,7 +8235,7 @@ process.args : "-u" and process.args : "0" and process.args : "-o" Branch count: 3 Document count: 6 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python sequence by host.id, process.parent.name with maxspan=1m @@ -8251,7 +8251,7 @@ sequence by host.id, process.parent.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-587 +Index: geneve-ut-0587 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8264,7 +8264,7 @@ process.name == "unshadow" and process.args_count >= 3 Branch count: 78 Document count: 78 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and @@ -8292,7 +8292,7 @@ process.name in ( Branch count: 1 Document count: 10 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -8310,7 +8310,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 44 Document count: 88 -Index: geneve-ut-591 +Index: geneve-ut-0591 ```python sequence by host.id with maxspan=10s @@ -8359,7 +8359,7 @@ sequence by host.id with maxspan=10s Branch count: 36 Document count: 36 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -8373,7 +8373,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 458 Document count: 458 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -8402,7 +8402,7 @@ event.type == "start" and ( Branch count: 6 Document count: 6 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8421,7 +8421,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python process where host.os.type == "windows" and @@ -8559,7 +8559,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python process where host.os.type == "windows" and @@ -8630,7 +8630,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python library where host.os.type == "windows" and event.action == "load" and @@ -8647,7 +8647,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 12 Document count: 12 -Index: geneve-ut-601 +Index: geneve-ut-0601 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and ( @@ -8664,7 +8664,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 1 Document count: 1 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -8676,7 +8676,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8717,7 +8717,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 8 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -8735,7 +8735,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4 Document count: 4 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python network where process.name : ("http", "https") @@ -8750,7 +8750,7 @@ network where process.name : ("http", "https") Branch count: 2 Document count: 4 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python sequence by process.entity_id with maxspan=1m @@ -8770,7 +8770,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-611 +Index: geneve-ut-0611 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -8811,7 +8811,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 2 Document count: 2 -Index: geneve-ut-612 +Index: geneve-ut-0612 ```python network where host.os.type == "windows" and @@ -8834,7 +8834,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8847,7 +8847,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8862,7 +8862,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8875,7 +8875,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -8897,7 +8897,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 8 Document count: 8 -Index: geneve-ut-623 +Index: geneve-ut-0623 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -8917,7 +8917,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 692 Document count: 692 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python event.category:process and host.os.type:windows and @@ -9113,7 +9113,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -9129,7 +9129,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -9143,7 +9143,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -9160,7 +9160,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-628 +Index: geneve-ut-0628 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -9174,7 +9174,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( @@ -9190,7 +9190,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -9206,7 +9206,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -9218,7 +9218,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -9234,7 +9234,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python sequence by host.id with maxspan=1m @@ -9254,7 +9254,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -9266,7 +9266,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python iam where event.action == "renamed-user-account" and @@ -9280,7 +9280,7 @@ iam where event.action == "renamed-user-account" and Branch count: 18 Document count: 18 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python process where host.os.type == "windows" and event.action == "start" and @@ -9303,7 +9303,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-640 +Index: geneve-ut-0640 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -9323,7 +9323,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9336,7 +9336,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python file where host.os.type == "windows" and @@ -9351,7 +9351,7 @@ file where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python /* Identifies the modification of RDP Shadow registry or @@ -9378,7 +9378,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9393,7 +9393,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-648 +Index: geneve-ut-0648 ```python sequence with maxspan=1m @@ -9435,7 +9435,7 @@ sequence with maxspan=1m Branch count: 864 Document count: 1728 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python sequence by host.id with maxspan=5s @@ -9454,7 +9454,7 @@ sequence by host.id with maxspan=5s Branch count: 80 Document count: 80 -Index: geneve-ut-650 +Index: geneve-ut-0650 ```python process where event.type in ("start", "process_started") and @@ -9475,7 +9475,7 @@ process where event.type in ("start", "process_started") and Branch count: 16 Document count: 16 -Index: geneve-ut-651 +Index: geneve-ut-0651 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -9489,7 +9489,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 432 Document count: 864 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -9508,7 +9508,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 288 Document count: 576 -Index: geneve-ut-653 +Index: geneve-ut-0653 ```python sequence by host.id with maxspan=5s @@ -9537,7 +9537,7 @@ sequence by host.id with maxspan=5s Branch count: 10 Document count: 10 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -9553,7 +9553,7 @@ process.name in ("curl", "wget") and process.args : ( Branch count: 1 Document count: 1 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -9565,7 +9565,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 1 Document count: 1 -Index: geneve-ut-660 +Index: geneve-ut-0660 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -9579,7 +9579,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 32 Document count: 96 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -9607,7 +9607,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python sequence by host.id with maxspan=1s @@ -9626,7 +9626,7 @@ sequence by host.id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -9639,7 +9639,7 @@ process.name == "sudo" and process.args == "-u#-1" Branch count: 1 Document count: 2 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -9655,7 +9655,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 2 Document count: 2 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and @@ -9669,7 +9669,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python file where event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -9699,7 +9699,7 @@ file.path : ( Branch count: 4 Document count: 4 -Index: geneve-ut-673 +Index: geneve-ut-0673 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and @@ -9712,7 +9712,7 @@ process.name in ("chown", "chmod") and process.args == "-R" and process.args : " Branch count: 2 Document count: 2 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and ( @@ -9728,7 +9728,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 8 Document count: 16 -Index: geneve-ut-675 +Index: geneve-ut-0675 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -9744,7 +9744,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 40 Document count: 40 -Index: geneve-ut-678 +Index: geneve-ut-0678 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -9760,7 +9760,7 @@ process.parent.name in ("screen", "tmux") and process.name : ( Branch count: 21 Document count: 21 -Index: geneve-ut-679 +Index: geneve-ut-0679 ```python event.category:process and host.os.type:windows and @@ -9785,7 +9785,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-681 +Index: geneve-ut-0681 ```python event.category:process and host.os.type:windows and @@ -9804,7 +9804,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python event.category:process and host.os.type:windows and @@ -9827,7 +9827,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-684 +Index: geneve-ut-0684 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -9839,7 +9839,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python event.category:process and host.os.type:windows and @@ -9864,7 +9864,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9880,7 +9880,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python event.category:process and host.os.type:windows and @@ -9919,7 +9919,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9933,7 +9933,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -9947,7 +9947,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -9960,7 +9960,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 4 Document count: 4 -Index: geneve-ut-704 +Index: geneve-ut-0704 ```python registry where host.os.type == "windows" and registry.path : ( @@ -9978,7 +9978,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -9995,7 +9995,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10009,7 +10009,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 96 Document count: 96 -Index: geneve-ut-709 +Index: geneve-ut-0709 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -10084,7 +10084,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-710 +Index: geneve-ut-0710 ```python sequence by winlog.computer_name with maxspan=1m @@ -10105,7 +10105,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-711 +Index: geneve-ut-0711 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10124,7 +10124,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 66 Document count: 66 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10179,7 +10179,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -10191,7 +10191,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -10203,7 +10203,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-716 +Index: geneve-ut-0716 ```python process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" @@ -10215,7 +10215,7 @@ process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemote Branch count: 3 Document count: 6 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python sequence by host.id with maxspan=5s @@ -10247,7 +10247,7 @@ sequence by host.id with maxspan=5s Branch count: 2 Document count: 2 -Index: geneve-ut-719 +Index: geneve-ut-0719 ```python process where event.type in ("start", "process_started") and process.name : "* " @@ -10259,7 +10259,7 @@ process where event.type in ("start", "process_started") and process.name : "* Branch count: 1 Document count: 1 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10281,7 +10281,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -10294,7 +10294,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-722 +Index: geneve-ut-0722 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "proxychains" @@ -10306,7 +10306,7 @@ process where host.os.type == "linux" and event.action == "exec" and event.type Branch count: 1 Document count: 2 -Index: geneve-ut-723 +Index: geneve-ut-0723 ```python sequence by process.entity_id @@ -10330,7 +10330,7 @@ sequence by process.entity_id Branch count: 4 Document count: 4 -Index: geneve-ut-726 +Index: geneve-ut-0726 ```python registry where host.os.type == "windows" and @@ -10351,7 +10351,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-729 +Index: geneve-ut-0729 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -10363,7 +10363,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-730 +Index: geneve-ut-0730 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -10375,7 +10375,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python registry where host.os.type == "windows" and @@ -10392,7 +10392,7 @@ registry where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-735 +Index: geneve-ut-0735 ```python registry where host.os.type == "windows" and @@ -10420,7 +10420,7 @@ registry where host.os.type == "windows" and Branch count: 18 Document count: 18 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10435,7 +10435,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-738 +Index: geneve-ut-0738 ```python sequence with maxspan=1m @@ -10465,7 +10465,7 @@ sequence with maxspan=1m Branch count: 13 Document count: 13 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10482,7 +10482,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-740 +Index: geneve-ut-0740 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -10503,7 +10503,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 228 Document count: 228 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python file where (event.action == "creation" or event.action == "modification") and @@ -10526,7 +10526,7 @@ user.name:("SYSTEM", "root") and Branch count: 2 Document count: 2 -Index: geneve-ut-742 +Index: geneve-ut-0742 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10540,7 +10540,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10554,7 +10554,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-744 +Index: geneve-ut-0744 ```python sequence by process.entity_id with maxspan=30s @@ -10578,7 +10578,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python sequence by host.id, process.entity_id @@ -10594,7 +10594,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -10609,7 +10609,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-747 +Index: geneve-ut-0747 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -10628,7 +10628,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 1 Document count: 1 -Index: geneve-ut-748 +Index: geneve-ut-0748 ```python iam where event.action == "scheduled-task-created" and @@ -10641,7 +10641,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 12 Document count: 12 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10662,7 +10662,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-750 +Index: geneve-ut-0750 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -10704,7 +10704,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-751 +Index: geneve-ut-0751 ```python sequence with maxspan=1m @@ -10727,7 +10727,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-752 +Index: geneve-ut-0752 ```python sequence with maxspan=1s @@ -10775,7 +10775,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-753 +Index: geneve-ut-0753 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10788,7 +10788,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-755 +Index: geneve-ut-0755 ```python (event.dataset: (network_traffic.http or network_traffic.tls) or @@ -10835,7 +10835,7 @@ Index: geneve-ut-755 Branch count: 4 Document count: 4 -Index: geneve-ut-756 +Index: geneve-ut-0756 ```python registry where host.os.type == "windows" and event.type:"change" and @@ -10854,7 +10854,7 @@ registry where host.os.type == "windows" and event.type:"change" and Branch count: 6 Document count: 6 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python file where container.id:"*" and @@ -10867,7 +10867,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python process where container.id: "*" and event.type == "start" and @@ -10888,7 +10888,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python process where container.id: "*" and event.type== "start" and @@ -10902,7 +10902,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 36 Document count: 36 -Index: geneve-ut-763 +Index: geneve-ut-0763 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10920,7 +10920,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python sequence by host.id with maxspan = 30s @@ -10939,7 +10939,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 4 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python registry where host.os.type == "windows" and @@ -10955,7 +10955,7 @@ registry where host.os.type == "windows" and Branch count: 27 Document count: 27 -Index: geneve-ut-768 +Index: geneve-ut-0768 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -10996,7 +10996,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -11030,7 +11030,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-770 +Index: geneve-ut-0770 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11044,7 +11044,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-771 +Index: geneve-ut-0771 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11058,7 +11058,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 116 Document count: 116 -Index: geneve-ut-772 +Index: geneve-ut-0772 ```python process where event.type == "start" and @@ -11118,7 +11118,7 @@ process.name : "grep" and user.id != "0" and Branch count: 270 Document count: 270 -Index: geneve-ut-775 +Index: geneve-ut-0775 ```python process where container.id: "*" and event.type== "start" and @@ -11161,7 +11161,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python process where container.id: "*" and event.type== "start" and @@ -11185,7 +11185,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-777 +Index: geneve-ut-0777 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -11198,7 +11198,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 16 Document count: 32 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python sequence by process.entity_id with maxspan = 1m @@ -11215,7 +11215,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -11235,7 +11235,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python sequence by winlog.computer_name with maxspan=5m @@ -11259,7 +11259,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11280,7 +11280,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11303,7 +11303,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python process where event.type == "start" and process.name : "sc.exe" and @@ -11316,7 +11316,7 @@ process where event.type == "start" and process.name : "sc.exe" and Branch count: 1 Document count: 1 -Index: geneve-ut-784 +Index: geneve-ut-0784 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -11329,7 +11329,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not process.pare Branch count: 1 Document count: 1 -Index: geneve-ut-786 +Index: geneve-ut-0786 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -11341,7 +11341,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 6 Document count: 12 -Index: geneve-ut-788 +Index: geneve-ut-0788 ```python sequence by host.id with maxspan=5s @@ -11355,7 +11355,7 @@ sequence by host.id with maxspan=5s Branch count: 18 Document count: 18 -Index: geneve-ut-789 +Index: geneve-ut-0789 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -11375,7 +11375,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-790 +Index: geneve-ut-0790 ```python process where host.os.type == "windows" and event.type == "start" @@ -11389,7 +11389,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 4 Document count: 4 -Index: geneve-ut-791 +Index: geneve-ut-0791 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -11403,7 +11403,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 28 Document count: 28 -Index: geneve-ut-792 +Index: geneve-ut-0792 ```python registry where host.os.type == "windows" and registry.path : ( @@ -11427,7 +11427,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 12 Document count: 24 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -11452,7 +11452,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-807 +Index: geneve-ut-0807 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11485,7 +11485,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-810 +Index: geneve-ut-0810 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -11510,7 +11510,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-811 +Index: geneve-ut-0811 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -11525,7 +11525,7 @@ not group.Ext.real.id : "0" and not user.Ext.real.id : "0" Branch count: 16 Document count: 16 -Index: geneve-ut-814 +Index: geneve-ut-0814 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11539,7 +11539,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-815 +Index: geneve-ut-0815 ```python event.category:process and host.os.type:windows and @@ -11565,7 +11565,7 @@ event.category:process and host.os.type:windows and Branch count: 16 Document count: 16 -Index: geneve-ut-816 +Index: geneve-ut-0816 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -11580,7 +11580,7 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en Branch count: 152 Document count: 304 -Index: geneve-ut-817 +Index: geneve-ut-0817 ```python sequence by host.id with maxspan=5s @@ -11602,7 +11602,7 @@ sequence by host.id with maxspan=5s Branch count: 8 Document count: 16 -Index: geneve-ut-818 +Index: geneve-ut-0818 ```python sequence by host.id with maxspan=5s @@ -11621,7 +11621,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-819 +Index: geneve-ut-0819 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -11633,7 +11633,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 2 Document count: 2 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python file where host.os.type == "windows" and event.type != "deletion" and file.path != null and @@ -11646,7 +11646,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path Branch count: 2 Document count: 4 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python sequence by host.id with maxspan=30s @@ -11660,7 +11660,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -11690,7 +11690,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-823 +Index: geneve-ut-0823 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -11714,7 +11714,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-824 +Index: geneve-ut-0824 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11728,7 +11728,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-825 +Index: geneve-ut-0825 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -11751,7 +11751,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-826 +Index: geneve-ut-0826 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11765,7 +11765,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 58 Document count: 58 -Index: geneve-ut-827 +Index: geneve-ut-0827 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11986,7 +11986,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-828 +Index: geneve-ut-0828 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -12002,7 +12002,7 @@ not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*n Branch count: 1 Document count: 1 -Index: geneve-ut-829 +Index: geneve-ut-0829 ```python file where host.os.type == "macos" and event.type != "deletion" and process.name != null and @@ -12015,7 +12015,7 @@ file where host.os.type == "macos" and event.type != "deletion" and process.name Branch count: 189 Document count: 189 -Index: geneve-ut-830 +Index: geneve-ut-0830 ```python any where host.os.type == "windows" and @@ -12048,7 +12048,7 @@ any where host.os.type == "windows" and Branch count: 10 Document count: 10 -Index: geneve-ut-832 +Index: geneve-ut-0832 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and @@ -12064,7 +12064,7 @@ process.name == "od" and process.args in ( Branch count: 44 Document count: 44 -Index: geneve-ut-833 +Index: geneve-ut-0833 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -12100,7 +12100,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-834 +Index: geneve-ut-0834 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12136,7 +12136,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-835 +Index: geneve-ut-0835 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12151,7 +12151,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-836 +Index: geneve-ut-0836 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and @@ -12167,7 +12167,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 14 Document count: 14 -Index: geneve-ut-840 +Index: geneve-ut-0840 ```python process where host.os.type == "windows" and event.type : "start" and @@ -12195,7 +12195,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-841 +Index: geneve-ut-0841 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12219,7 +12219,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-844 +Index: geneve-ut-0844 ```python file where event.action == "creation" and process.name : "kworker*" and not ( @@ -12233,7 +12233,7 @@ file where event.action == "creation" and process.name : "kworker*" and not ( Branch count: 2 Document count: 2 -Index: geneve-ut-847 +Index: geneve-ut-0847 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12246,7 +12246,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 30 Document count: 30 -Index: geneve-ut-848 +Index: geneve-ut-0848 ```python any where host.os.type == "windows" and @@ -12261,7 +12261,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-849 +Index: geneve-ut-0849 ```python registry where host.os.type == "windows" and registry.path : ( @@ -12278,7 +12278,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 6 Document count: 6 -Index: geneve-ut-851 +Index: geneve-ut-0851 ```python process where container.id: "*" and @@ -12299,7 +12299,7 @@ process.args: "*/*sh" Branch count: 1 Document count: 1 -Index: geneve-ut-853 +Index: geneve-ut-0853 ```python process where host.os.type == "linux" and event.action == "session_id_change" and event.type == "change" and @@ -12312,7 +12312,7 @@ process.name : "kworker*" and user.id == "0" Branch count: 1 Document count: 1 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python process where host.os.type == "windows" and event.code == "10" and @@ -12331,7 +12331,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 1 Document count: 1 -Index: geneve-ut-855 +Index: geneve-ut-0855 ```python process where host.os.type == "windows" and event.code == "10" and @@ -12366,7 +12366,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 52 Document count: 52 -Index: geneve-ut-857 +Index: geneve-ut-0857 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12387,7 +12387,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -12407,7 +12407,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 24 Document count: 24 -Index: geneve-ut-859 +Index: geneve-ut-0859 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and @@ -12420,7 +12420,7 @@ process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack Branch count: 14 Document count: 14 -Index: geneve-ut-862 +Index: geneve-ut-0862 ```python file where host.os.type == "linux" and event.type == "creation" and @@ -12434,7 +12434,7 @@ file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.servic Branch count: 2 Document count: 2 -Index: geneve-ut-864 +Index: geneve-ut-0864 ```python library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and @@ -12513,7 +12513,7 @@ library where host.os.type == "windows" and process.executable : "?:\\Windows\\S Branch count: 1 Document count: 1 -Index: geneve-ut-866 +Index: geneve-ut-0866 ```python network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and @@ -12526,7 +12526,7 @@ process.name == "sudo" Branch count: 28 Document count: 28 -Index: geneve-ut-868 +Index: geneve-ut-0868 ```python process where container.id: "*" and event.type== "start" and @@ -12543,7 +12543,7 @@ process where container.id: "*" and event.type== "start" and Branch count: 212 Document count: 212 -Index: geneve-ut-869 +Index: geneve-ut-0869 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12567,7 +12567,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-870 +Index: geneve-ut-0870 ```python sequence by host.id, process.parent.pid with maxspan=1m @@ -12583,7 +12583,7 @@ sequence by host.id, process.parent.pid with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-871 +Index: geneve-ut-0871 ```python event.category:process and host.os.type:windows and @@ -12598,7 +12598,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-874 +Index: geneve-ut-0874 ```python file where host.os.type == "windows" and event.type : "deletion" and @@ -12612,7 +12612,7 @@ file where host.os.type == "windows" and event.type : "deletion" and Branch count: 4 Document count: 8 -Index: geneve-ut-875 +Index: geneve-ut-0875 ```python sequence by host.id with maxspan=30s @@ -12636,7 +12636,7 @@ sequence by host.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-876 +Index: geneve-ut-0876 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -12671,7 +12671,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-877 +Index: geneve-ut-0877 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -12695,7 +12695,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-881 +Index: geneve-ut-0881 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12708,7 +12708,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 180 Document count: 180 -Index: geneve-ut-882 +Index: geneve-ut-0882 ```python process where event.type == "start" and event.action : ("exec", "exec_event") and @@ -12742,7 +12742,7 @@ not (process.parent.args : "--force" or process.args : ("/usr/games/lolcat", "/u Branch count: 48 Document count: 48 -Index: geneve-ut-883 +Index: geneve-ut-0883 ```python any where host.os.type == "windows" and @@ -12775,7 +12775,7 @@ any where host.os.type == "windows" and Branch count: 1 Document count: 2 -Index: geneve-ut-884 +Index: geneve-ut-0884 ```python sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m @@ -12793,7 +12793,7 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= Branch count: 9 Document count: 9 -Index: geneve-ut-885 +Index: geneve-ut-0885 ```python file where host.os.type == "linux" and event.action == "rename" and @@ -12807,7 +12807,7 @@ and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", Branch count: 1 Document count: 1 -Index: geneve-ut-886 +Index: geneve-ut-0886 ```python file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and @@ -12820,7 +12820,7 @@ file.Ext.original.path : "/usr/lib/vmware/*" Branch count: 8 Document count: 8 -Index: geneve-ut-887 +Index: geneve-ut-0887 ```python any where host.os.type == "windows" and @@ -12854,7 +12854,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-889 +Index: geneve-ut-0889 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12885,7 +12885,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-890 +Index: geneve-ut-0890 ```python registry where host.os.type == "windows" and @@ -12915,7 +12915,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-894 +Index: geneve-ut-0894 ```python process where host.os.type == "linux" and event.type == "end" and process.name : ("vmware-vmx", "vmx") @@ -12928,7 +12928,7 @@ and process.parent.name : "kill" Branch count: 160 Document count: 160 -Index: geneve-ut-895 +Index: geneve-ut-0895 ```python process where host.os.type == "windows" and event.action == "start" and @@ -12952,7 +12952,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 102 Document count: 102 -Index: geneve-ut-896 +Index: geneve-ut-0896 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and @@ -12969,7 +12969,7 @@ event.type == "start" and process.name == "proxychains" and process.args : ( Branch count: 2 Document count: 2 -Index: geneve-ut-897 +Index: geneve-ut-0897 ```python any where event.dataset == "windows.sysmon_operational" and event.code == "21" and @@ -12982,7 +12982,7 @@ any where event.dataset == "windows.sysmon_operational" and event.code == "21" a Branch count: 30 Document count: 30 -Index: geneve-ut-898 +Index: geneve-ut-0898 ```python any where host.os.type == "windows" and @@ -12997,7 +12997,7 @@ any where host.os.type == "windows" and Branch count: 48 Document count: 96 -Index: geneve-ut-899 +Index: geneve-ut-0899 ```python sequence by process.entity_id with maxspan = 2m @@ -13015,7 +13015,7 @@ sequence by process.entity_id with maxspan = 2m Branch count: 1 Document count: 1 -Index: geneve-ut-900 +Index: geneve-ut-0900 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13034,7 +13034,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-904 +Index: geneve-ut-0904 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13047,7 +13047,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 114 Document count: 114 -Index: geneve-ut-905 +Index: geneve-ut-0905 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13093,7 +13093,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-906 +Index: geneve-ut-0906 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and @@ -13111,7 +13111,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 8 Document count: 8 -Index: geneve-ut-908 +Index: geneve-ut-0908 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13130,7 +13130,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 992 Document count: 1984 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -13168,7 +13168,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 5 Document count: 5 -Index: geneve-ut-910 +Index: geneve-ut-0910 ```python process where event.type == "start" and event.action == "exec" and @@ -13181,7 +13181,7 @@ process where event.type == "start" and event.action == "exec" and Branch count: 2 Document count: 2 -Index: geneve-ut-911 +Index: geneve-ut-0911 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13195,7 +13195,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-912 +Index: geneve-ut-0912 ```python file where host.os.type == "linux" and event.type == "deletion" and @@ -13222,7 +13222,7 @@ file where host.os.type == "linux" and event.type == "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-913 +Index: geneve-ut-0913 ```python process where event.type == "start" and @@ -13235,7 +13235,7 @@ process where event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-914 +Index: geneve-ut-0914 ```python process where event.type == "start" and @@ -13248,7 +13248,7 @@ process where event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-915 +Index: geneve-ut-0915 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13267,7 +13267,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-916 +Index: geneve-ut-0916 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13284,7 +13284,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-917 +Index: geneve-ut-0917 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13304,7 +13304,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13317,7 +13317,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-919 +Index: geneve-ut-0919 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and @@ -13330,7 +13330,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 90 Document count: 90 -Index: geneve-ut-922 +Index: geneve-ut-0922 ```python process where event.type in ("start", "process_started") and @@ -13353,7 +13353,7 @@ process where event.type in ("start", "process_started") and Branch count: 1 Document count: 2 -Index: geneve-ut-923 +Index: geneve-ut-0923 ```python sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m @@ -13367,7 +13367,7 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m Branch count: 30 Document count: 30 -Index: geneve-ut-924 +Index: geneve-ut-0924 ```python file where host.os.type == "windows" and event.type == "deletion" and @@ -13406,7 +13406,7 @@ file where host.os.type == "windows" and event.type == "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-929 +Index: geneve-ut-0929 ```python process where event.type == "start" and @@ -13423,7 +13423,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-930 +Index: geneve-ut-0930 ```python process where event.type : ("start", "process_started") and process.name : "trap" and process.args : "SIG*" @@ -13435,7 +13435,7 @@ process where event.type : ("start", "process_started") and process.name : "tra Branch count: 1 Document count: 1 -Index: geneve-ut-931 +Index: geneve-ut-0931 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13452,7 +13452,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-932 +Index: geneve-ut-0932 ```python file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and @@ -13468,7 +13468,7 @@ file where host.os.type == "windows" and event.type : "change" and process.name Branch count: 2 Document count: 2 -Index: geneve-ut-933 +Index: geneve-ut-0933 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13481,7 +13481,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-934 +Index: geneve-ut-0934 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and @@ -13496,7 +13496,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 1 Document count: 1 -Index: geneve-ut-935 +Index: geneve-ut-0935 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13512,7 +13512,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-936 +Index: geneve-ut-0936 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13527,7 +13527,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-937 +Index: geneve-ut-0937 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13543,7 +13543,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-939 +Index: geneve-ut-0939 ```python event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt @@ -13555,7 +13555,7 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt Branch count: 1 Document count: 1 -Index: geneve-ut-941 +Index: geneve-ut-0941 ```python process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine" @@ -13567,7 +13567,7 @@ process where host.os.type == "macos" and event.type == "start" and process.pare Branch count: 15 Document count: 15 -Index: geneve-ut-942 +Index: geneve-ut-0942 ```python process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( @@ -13584,7 +13584,7 @@ process where host.os.type == "linux" and event.action == "exec" and event.type Branch count: 1 Document count: 1 -Index: geneve-ut-943 +Index: geneve-ut-0943 ```python library where dll.name : "Bitsproxy.dll" and process.executable != null and @@ -13597,7 +13597,7 @@ not process.code_signature.trusted == true Branch count: 1 Document count: 1 -Index: geneve-ut-947 +Index: geneve-ut-0947 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -13611,7 +13611,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 1 Document count: 1 -Index: geneve-ut-949 +Index: geneve-ut-0949 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13625,7 +13625,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-950 +Index: geneve-ut-0950 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and @@ -13638,7 +13638,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-951 +Index: geneve-ut-0951 ```python sequence with maxspan=1h @@ -13656,7 +13656,7 @@ sequence with maxspan=1h Branch count: 18 Document count: 18 -Index: geneve-ut-958 +Index: geneve-ut-0958 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13678,7 +13678,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 29 Document count: 29 -Index: geneve-ut-959 +Index: geneve-ut-0959 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -13751,7 +13751,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 6 Document count: 6 -Index: geneve-ut-960 +Index: geneve-ut-0960 ```python file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and @@ -13765,7 +13765,7 @@ file where host.os.type == "windows" and process.name : "dns.exe" and event.type Branch count: 400 Document count: 800 -Index: geneve-ut-973 +Index: geneve-ut-0973 ```python sequence by process.entity_id with maxspan=5m @@ -13833,7 +13833,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 1 Document count: 2 -Index: geneve-ut-974 +Index: geneve-ut-0974 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -13852,7 +13852,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 1 Document count: 2 -Index: geneve-ut-975 +Index: geneve-ut-0975 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -13871,7 +13871,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 32 Document count: 32 -Index: geneve-ut-978 +Index: geneve-ut-0978 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13912,7 +13912,7 @@ process.parent.name != null and Branch count: 8 Document count: 8 -Index: geneve-ut-979 +Index: geneve-ut-0979 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13944,7 +13944,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 32 Document count: 32 -Index: geneve-ut-980 +Index: geneve-ut-0980 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13970,7 +13970,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-981 +Index: geneve-ut-0981 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13983,7 +13983,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-982 +Index: geneve-ut-0982 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14007,7 +14007,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 256 Document count: 256 -Index: geneve-ut-983 +Index: geneve-ut-0983 ```python process where host.os.type == "windows" and event.type == "start" and @@ -14041,7 +14041,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 66 Document count: 66 -Index: geneve-ut-984 +Index: geneve-ut-0984 ```python process where event.type == "start" and host.os.type == "windows" and @@ -14085,7 +14085,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 144 Document count: 288 -Index: geneve-ut-987 +Index: geneve-ut-0987 ```python sequence by process.entity_id @@ -14122,7 +14122,7 @@ sequence by process.entity_id Branch count: 1 Document count: 20 -Index: geneve-ut-999 +Index: geneve-ut-0999 ```python sequence by host.id, process.parent.entity_id with maxspan=1s diff --git a/tests/reports/alerts_from_rules-9.0.md b/tests/reports/alerts_from_rules-9.0.md index f9619586..ea5b77ad 100644 --- a/tests/reports/alerts_from_rules-9.0.md +++ b/tests/reports/alerts_from_rules-9.0.md @@ -19,7 +19,7 @@ Rules version: 8.16.1 Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python sequence by host.id, user.id with maxspan=1m @@ -44,7 +44,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -63,7 +63,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -82,7 +82,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -142,7 +142,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -159,7 +159,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 8748 Document count: 17496 -Index: geneve-ut-892 +Index: geneve-ut-0892 ```python sequence with maxspan=1m @@ -264,7 +264,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -277,7 +277,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -290,7 +290,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4 Document count: 8 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -310,7 +310,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 Failure message(s): got 1000 signals, expected 4608 @@ -337,7 +337,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 Failure message(s): got 1000 signals, expected 1024 @@ -358,7 +358,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 Failure message(s): got 1000 signals, expected 1024 @@ -379,7 +379,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 6 Document count: 12 -Index: geneve-ut-754 +Index: geneve-ut-0754 Failure message(s): got 5 signals, expected 6 @@ -396,7 +396,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 Failure message(s): got 1000 signals, expected 1794 @@ -458,7 +458,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 Failure message(s): got 1000 signals, expected 2048 @@ -477,7 +477,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 32 Document count: 64 -Index: geneve-ut-841 +Index: geneve-ut-0841 Failure message(s): got 24 signals, expected 32 @@ -502,7 +502,7 @@ sequence by host.id, process.pid with maxspan=1s Branch count: 8748 Document count: 17496 -Index: geneve-ut-892 +Index: geneve-ut-0892 Failure message(s): got 1000 signals, expected 8748 @@ -632,7 +632,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -659,7 +659,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -689,7 +689,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 8 Document count: 8 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -725,7 +725,7 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -737,7 +737,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail @@ -752,7 +752,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -764,7 +764,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -776,7 +776,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -788,7 +788,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -800,7 +800,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -812,7 +812,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -827,7 +827,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -839,7 +839,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python process where event.module == "cloud_defend" and @@ -856,7 +856,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -869,7 +869,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -881,7 +881,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -895,7 +895,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset: aws.cloudtrail @@ -910,7 +910,7 @@ event.dataset: aws.cloudtrail Branch count: 2 Document count: 2 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -922,7 +922,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -934,7 +934,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 6 Document count: 6 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset: "aws.cloudtrail" @@ -955,7 +955,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -967,7 +967,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -979,7 +979,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-033 +Index: geneve-ut-0033 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -992,7 +992,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -1005,7 +1005,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -1019,7 +1019,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -1032,7 +1032,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -1044,7 +1044,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -1056,7 +1056,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -1068,7 +1068,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -1080,7 +1080,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -1092,7 +1092,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" @@ -1105,7 +1105,7 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -1117,7 +1117,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail @@ -1132,7 +1132,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset: aws.cloudtrail @@ -1148,7 +1148,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail @@ -1163,7 +1163,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -1175,7 +1175,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -1187,7 +1187,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-057 +Index: geneve-ut-0057 ```python event.dataset: "aws.cloudtrail" @@ -1202,7 +1202,7 @@ event.dataset: "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python event.dataset: aws.cloudtrail @@ -1217,7 +1217,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -1229,7 +1229,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -1241,7 +1241,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python any where event.dataset == "aws.cloudtrail" @@ -1256,7 +1256,7 @@ any where event.dataset == "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" @@ -1269,7 +1269,7 @@ event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -1281,7 +1281,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -1293,7 +1293,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -1305,7 +1305,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -1317,7 +1317,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -1329,7 +1329,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -1341,7 +1341,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-076 +Index: geneve-ut-0076 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -1356,7 +1356,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-077 +Index: geneve-ut-0077 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -1368,7 +1368,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-078 +Index: geneve-ut-0078 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -1380,7 +1380,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-079 +Index: geneve-ut-0079 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1393,7 +1393,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1406,7 +1406,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1419,7 +1419,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1434,7 +1434,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1447,7 +1447,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1459,7 +1459,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1471,7 +1471,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1483,7 +1483,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1499,7 +1499,7 @@ Index: geneve-ut-108 Branch count: 4 Document count: 4 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python process where host.os.type == "linux" and event.type == "start" and @@ -1516,7 +1516,7 @@ process.name == "setfacl" and not ( Branch count: 12 Document count: 12 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1561,7 +1561,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 8 Document count: 8 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and @@ -1596,7 +1596,7 @@ any where event.action in ("Directory Service Access", "object-operation-perform Branch count: 4 Document count: 4 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1613,7 +1613,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1633,7 +1633,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python sequence by winlog.computer_name with maxspan=1m @@ -1661,7 +1661,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 48 Document count: 48 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -1679,7 +1679,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 1 Document count: 1 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python iam where winlog.api == "wineventlog" and event.code == "4728" and @@ -1695,7 +1695,7 @@ not group.id : "S-1-5-21-*-513" Branch count: 36 Document count: 36 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1715,7 +1715,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1729,7 +1729,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and @@ -1742,7 +1742,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 1 Document count: 1 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1754,7 +1754,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1766,7 +1766,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1781,7 +1781,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1793,7 +1793,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.agent_id_status:(agent_id_mismatch or mismatch) @@ -1805,7 +1805,7 @@ event.agent_id_status:(agent_id_mismatch or mismatch) Branch count: 1 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1824,7 +1824,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1840,7 +1840,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1852,7 +1852,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1867,7 +1867,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 8 Document count: 8 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python file where host.os.type == "linux" and @@ -1897,7 +1897,7 @@ event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/* Branch count: 1 Document count: 1 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1909,7 +1909,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 4 Document count: 4 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -1922,7 +1922,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1934,7 +1934,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1946,7 +1946,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1958,7 +1958,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1970,7 +1970,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1982,7 +1982,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1994,7 +1994,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.dataset:okta.system and event.action:zone.delete @@ -2006,7 +2006,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -2018,7 +2018,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -2030,7 +2030,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 20 Document count: 20 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -2047,7 +2047,7 @@ process.args in ("auditd", "auditd.service") Branch count: 2 Document count: 2 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2060,7 +2060,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 74 Document count: 74 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2088,7 +2088,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2104,7 +2104,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2117,7 +2117,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2131,7 +2131,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 10 Document count: 10 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2154,7 +2154,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2169,7 +2169,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -2181,7 +2181,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -2193,7 +2193,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -2205,7 +2205,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -2217,7 +2217,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -2236,7 +2236,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -2248,7 +2248,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -2260,7 +2260,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2273,7 +2273,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -2285,7 +2285,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 3 Document count: 3 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2315,7 +2315,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -2330,7 +2330,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 4 Document count: 4 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2343,7 +2343,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 1 Document count: 1 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and @@ -2357,7 +2357,7 @@ not process.parent.executable == "/usr/sbin/libvirtd" Branch count: 16 Document count: 16 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -2371,7 +2371,7 @@ not process.args in ("--help", "--version") Branch count: 9 Document count: 9 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python event.category:file and event.type:change and @@ -2396,7 +2396,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2411,7 +2411,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2426,7 +2426,7 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ Branch count: 13 Document count: 13 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2448,7 +2448,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python file where host.os.type == "windows" and event.type : "creation" and @@ -2477,7 +2477,7 @@ file where host.os.type == "windows" and event.type : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2498,7 +2498,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2518,7 +2518,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 36 Document count: 36 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2539,7 +2539,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2564,7 +2564,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2578,7 +2578,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -2596,7 +2596,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -2616,7 +2616,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python sequence by process.entity_id @@ -2639,7 +2639,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2656,7 +2656,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -2718,7 +2718,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python library where host.os.type == "windows" and event.action == "load" and @@ -2748,7 +2748,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 24 Document count: 24 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -2773,7 +2773,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python sequence by process.entity_id @@ -2794,7 +2794,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python sequence by process.entity_id @@ -2815,7 +2815,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python process where container.id: "*" and event.type== "start" @@ -2828,7 +2828,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python event.kind:alert and event.module:cloud_defend @@ -2840,7 +2840,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 12 Document count: 12 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2863,7 +2863,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -2883,7 +2883,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -2896,7 +2896,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and @@ -2909,7 +2909,7 @@ not process.name == "dockerd" Branch count: 2 Document count: 2 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and @@ -2924,7 +2924,7 @@ file.extension == "ko" and not process.name : ( Branch count: 1 Document count: 1 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -2941,7 +2941,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -2955,7 +2955,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 3 Document count: 3 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -2972,7 +2972,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -2984,7 +2984,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 12 Document count: 12 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Blob" and @@ -3033,7 +3033,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and @@ -3051,7 +3051,7 @@ file where host.os.type == "windows" and event.type != "deletion" and event.acti Branch count: 8 Document count: 8 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3066,7 +3066,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3078,7 +3078,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3090,7 +3090,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3102,7 +3102,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3114,7 +3114,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 80 Document count: 80 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python file where host.os.type == "linux" and @@ -3156,7 +3156,7 @@ event.action in ("rename", "creation") and file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3176,7 +3176,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 128 Document count: 128 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3198,7 +3198,7 @@ process.name == "curl" and ( Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -3210,7 +3210,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python event.dataset:cyberarkpas.audit and @@ -3225,7 +3225,7 @@ event.dataset:cyberarkpas.audit and Branch count: 16 Document count: 16 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -3256,7 +3256,7 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* Branch count: 3 Document count: 3 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3272,7 +3272,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 5 Document count: 5 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3290,7 +3290,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -3305,7 +3305,7 @@ Index: geneve-ut-264 Branch count: 2 Document count: 2 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3319,7 +3319,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3333,7 +3333,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "mkdir" and @@ -3347,7 +3347,7 @@ not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir") Branch count: 12 Document count: 12 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3375,7 +3375,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3392,7 +3392,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3417,7 +3417,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3434,7 +3434,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3449,7 +3449,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3461,7 +3461,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3474,7 +3474,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3486,7 +3486,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 10 Document count: 20 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python sequence by process.entity_id with maxspan=1m @@ -3504,7 +3504,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 24 Document count: 24 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -3539,7 +3539,7 @@ not ( Branch count: 12 Document count: 12 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3554,7 +3554,7 @@ not process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewag Branch count: 108 Document count: 108 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3570,7 +3570,7 @@ not process.parent.executable == "/usr/share/qemu/init/qemu-kvm-init" Branch count: 12 Document count: 12 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3584,7 +3584,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 2 Document count: 2 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -3596,7 +3596,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 1 Document count: 2 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python sequence by host.id with maxspan=3s @@ -3619,7 +3619,7 @@ sequence by host.id with maxspan=3s Branch count: 203 Document count: 203 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python process where @@ -3650,7 +3650,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3663,7 +3663,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3677,7 +3677,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python registry where host.os.type == "windows" and @@ -3691,7 +3691,7 @@ registry where host.os.type == "windows" and Branch count: 16 Document count: 16 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3726,7 +3726,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -3738,7 +3738,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 2 Document count: 2 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3752,7 +3752,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3771,7 +3771,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3798,7 +3798,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 276 Document count: 276 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -3829,7 +3829,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python event.category:process and host.os.type:windows and @@ -3842,7 +3842,7 @@ event.category:process and host.os.type:windows and Branch count: 378 Document count: 378 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -3871,7 +3871,7 @@ process.args : ( Branch count: 64 Document count: 64 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -3899,7 +3899,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -3912,7 +3912,7 @@ process.name : ("kworker*", "kthread*") and process.executable != null Branch count: 4 Document count: 8 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python sequence by process.entity_id with maxspan=5m @@ -3932,7 +3932,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 4 Document count: 4 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3956,7 +3956,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 72 Document count: 144 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python sequence with maxspan=2h @@ -3982,7 +3982,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python sequence with maxspan=2h @@ -4007,7 +4007,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -4036,7 +4036,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -4048,7 +4048,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -4071,7 +4071,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python sequence by user.id with maxspan=5s @@ -4086,7 +4086,7 @@ sequence by user.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -4098,7 +4098,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 6 Document count: 6 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4118,7 +4118,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python process where host.os.type == "windows" and event.type : "start" and @@ -4152,7 +4152,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -4164,7 +4164,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4178,7 +4178,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -4191,7 +4191,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4203,7 +4203,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4215,7 +4215,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4229,7 +4229,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -4241,7 +4241,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 1 Document count: 1 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python file where host.os.type == "windows" and event.code : "2" and @@ -4273,7 +4273,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 16 Document count: 32 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python sequence by host.id with maxspan=10s @@ -4290,7 +4290,7 @@ sequence by host.id with maxspan=10s Branch count: 4 Document count: 4 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( @@ -4304,7 +4304,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 20 Document count: 20 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -4320,7 +4320,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -4335,7 +4335,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python process where event.module == "cloud_defend" and @@ -4350,7 +4350,7 @@ process where event.module == "cloud_defend" and Branch count: 375 Document count: 750 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python sequence by process.entity_id @@ -4377,7 +4377,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4398,7 +4398,7 @@ not ( Branch count: 2 Document count: 2 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python process where host.os.type == "linux" and event.type == "start" and process.parent.executable != null and @@ -4417,7 +4417,7 @@ process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and n Branch count: 11 Document count: 11 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4443,7 +4443,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4473,7 +4473,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python event.dataset: google_workspace.alert @@ -4485,7 +4485,7 @@ event.dataset: google_workspace.alert Branch count: 8 Document count: 8 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python registry where host.os.type == "windows" and @@ -4503,7 +4503,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4515,7 +4515,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4527,7 +4527,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4539,7 +4539,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4551,7 +4551,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -4563,7 +4563,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -4575,7 +4575,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -4587,7 +4587,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -4599,7 +4599,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -4611,7 +4611,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -4623,7 +4623,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -4635,7 +4635,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -4647,7 +4647,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -4659,7 +4659,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -4671,7 +4671,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -4683,7 +4683,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -4695,7 +4695,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -4707,7 +4707,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -4719,7 +4719,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -4731,7 +4731,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -4743,7 +4743,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -4755,7 +4755,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -4767,7 +4767,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -4779,7 +4779,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 575 Document count: 575 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ( @@ -4803,7 +4803,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 64 Document count: 128 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python sequence by host.id with maxspan=3s @@ -4821,7 +4821,7 @@ sequence by host.id with maxspan=3s Branch count: 4 Document count: 4 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and @@ -4849,7 +4849,7 @@ file.extension == null and process.executable != null and not ( Branch count: 8 Document count: 16 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python sequence by host.id with maxspan=3s @@ -4874,7 +4874,7 @@ sequence by host.id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" @@ -4886,7 +4886,7 @@ configuration where event.dataset == "github.audit" and github.category == "inte Branch count: 1 Document count: 1 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -4898,7 +4898,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" @@ -4910,7 +4910,7 @@ configuration where event.dataset == "github.audit" and event.action == "persona Branch count: 1 Document count: 1 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python configuration where event.dataset == "github.audit" @@ -4923,7 +4923,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python configuration where event.dataset == "github.audit" and event.action == "repo.create" @@ -4935,7 +4935,7 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr Branch count: 1 Document count: 1 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -4947,7 +4947,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python configuration where event.dataset == "github.audit" and event.action == "org.block_user" @@ -4959,7 +4959,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.blo Branch count: 1 Document count: 1 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -4972,7 +4972,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -4984,7 +4984,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python event.dataset:google_workspace.admin @@ -5000,7 +5000,7 @@ event.dataset:google_workspace.admin Branch count: 1 Document count: 1 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -5013,7 +5013,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -5025,7 +5025,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5038,7 +5038,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -5050,7 +5050,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -5063,7 +5063,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -5080,7 +5080,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -5094,7 +5094,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python sequence by source.user.email with maxspan=3m @@ -5118,7 +5118,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -5139,7 +5139,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5153,7 +5153,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -5165,7 +5165,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -5177,7 +5177,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -5190,7 +5190,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5203,7 +5203,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -5224,7 +5224,7 @@ process.name == "mkdir" and process.parent.executable like ( Branch count: 1 Document count: 1 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags" @@ -5236,7 +5236,7 @@ file where host.os.type == "linux" and event.type == "creation" and process.name Branch count: 1 Document count: 2 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python sequence by process.entity_id with maxspan=5m @@ -5253,7 +5253,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python any where @@ -5282,7 +5282,7 @@ any where Branch count: 12 Document count: 12 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5295,7 +5295,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5310,7 +5310,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -5322,7 +5322,7 @@ Index: geneve-ut-439 Branch count: 8 Document count: 8 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5339,7 +5339,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python sequence with maxspan=1m @@ -5358,7 +5358,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python sequence by host.id with maxspan=1m @@ -5376,7 +5376,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python sequence by host.id with maxspan=5s @@ -5395,7 +5395,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python sequence by host.id with maxspan = 30s @@ -5411,7 +5411,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python sequence by host.id with maxspan=30s @@ -5427,7 +5427,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5440,7 +5440,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python event.dataset: "aws.cloudtrail" @@ -5458,7 +5458,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5471,7 +5471,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -5487,7 +5487,7 @@ sequence by process.entity_id Branch count: 3 Document count: 3 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5510,7 +5510,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5531,7 +5531,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python process where container.id : "*" and event.type== "start" and @@ -5552,7 +5552,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -5565,7 +5565,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -5583,7 +5583,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python iam where event.action == "modified-user-account" and event.code == "4738" and @@ -5596,7 +5596,7 @@ iam where event.action == "modified-user-account" and event.code == "4738" and Branch count: 2 Document count: 2 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -5610,7 +5610,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -5669,7 +5669,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -5682,7 +5682,7 @@ auditd.data.syscall in ("init_module", "finit_module") Branch count: 2 Document count: 2 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -5695,7 +5695,7 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" Branch count: 24 Document count: 24 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5709,7 +5709,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" and @@ -5725,7 +5725,7 @@ not process.parent.executable like ( Branch count: 60 Document count: 60 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -5740,7 +5740,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 28 Document count: 28 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python process where host.os.type == "macos" and event.action == "exec" and @@ -5756,7 +5756,7 @@ process where host.os.type == "macos" and event.action == "exec" and Branch count: 1 Document count: 1 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -5768,7 +5768,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python event.dataset:kubernetes.audit_logs @@ -5783,7 +5783,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python event.dataset: "kubernetes.audit_logs" @@ -5797,7 +5797,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python event.dataset : "kubernetes.audit_logs" @@ -5813,7 +5813,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python event.dataset : "kubernetes.audit_logs" @@ -5830,7 +5830,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python event.dataset : "kubernetes.audit_logs" @@ -5847,7 +5847,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python event.dataset : "kubernetes.audit_logs" @@ -5864,7 +5864,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python event.dataset : "kubernetes.audit_logs" @@ -5897,7 +5897,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python event.dataset : "kubernetes.audit_logs" @@ -5914,7 +5914,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python event.dataset : "kubernetes.audit_logs" @@ -5931,7 +5931,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python event.dataset : "kubernetes.audit_logs" @@ -5948,7 +5948,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python event.dataset : "kubernetes.audit_logs" @@ -5964,7 +5964,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -6002,7 +6002,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python any where event.action == "File System" and event.code == "4656" and @@ -6037,7 +6037,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python api where host.os.type == "windows" and @@ -6110,7 +6110,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6128,7 +6128,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python sequence by host.id with maxspan=1m @@ -6144,7 +6144,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python sequence by host.id with maxspan=1m @@ -6158,7 +6158,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6173,7 +6173,7 @@ process.args != "1" Branch count: 609 Document count: 609 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python process where host.os.type == "linux" and event.type == "start" and @@ -6235,7 +6235,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 72 Document count: 72 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6249,7 +6249,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 64 Document count: 64 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -6265,7 +6265,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 240 Document count: 240 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6284,7 +6284,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -6302,7 +6302,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 600 Document count: 1200 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python sequence with maxspan=1m @@ -6327,7 +6327,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -6339,7 +6339,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 64 Document count: 64 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("AccessVBOM", "VbaWarnings") and @@ -6374,7 +6374,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 84 Document count: 168 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python sequence by host.id with maxspan=15s @@ -6388,7 +6388,7 @@ sequence by host.id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com @@ -6400,7 +6400,7 @@ ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.c Branch count: 1 Document count: 1 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com @@ -6412,7 +6412,7 @@ ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmclo Branch count: 2 Document count: 2 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6424,7 +6424,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6436,7 +6436,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python configuration where event.dataset == "github.audit" and event.action == "org.remove_member" @@ -6448,7 +6448,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.rem Branch count: 8 Document count: 8 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -6480,7 +6480,7 @@ file.path : "/etc/update-motd.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -6492,7 +6492,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -6504,7 +6504,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -6516,7 +6516,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -6528,7 +6528,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -6540,7 +6540,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -6552,7 +6552,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -6564,7 +6564,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -6576,7 +6576,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -6588,7 +6588,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -6600,7 +6600,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -6612,7 +6612,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -6625,7 +6625,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -6644,7 +6644,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -6656,7 +6656,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -6671,7 +6671,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -6685,7 +6685,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -6699,7 +6699,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -6711,7 +6711,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -6723,7 +6723,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6737,7 +6737,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6758,7 +6758,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6772,7 +6772,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6805,7 +6805,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -6830,7 +6830,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python event.category: "process" and host.os.type:windows and @@ -6854,7 +6854,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6869,7 +6869,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6883,7 +6883,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6897,7 +6897,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6920,7 +6920,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 28 Document count: 28 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -6970,7 +6970,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 1 Document count: 1 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -6982,7 +6982,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 2 Document count: 2 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7000,7 +7000,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7017,7 +7017,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -7029,7 +7029,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 2 Document count: 2 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7055,7 +7055,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-557 +Index: geneve-ut-0557 ```python event.category:file and host.os.type:linux and event.type:change and @@ -7077,7 +7077,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7099,7 +7099,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 8 Document count: 8 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python registry where host.os.type == "windows" and event.type == "creation" and @@ -7116,7 +7116,7 @@ registry where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -7130,7 +7130,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 2 Document count: 2 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -7142,7 +7142,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 2 Document count: 2 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7165,7 +7165,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python process where event.module == "cloud_defend" and event.type== "start" and @@ -7178,7 +7178,7 @@ process where event.module == "cloud_defend" and event.type== "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7197,7 +7197,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python sequence by process.entity_id with maxspan=30s @@ -7234,7 +7234,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 1 Document count: 2 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python sequence by process.entity_id with maxspan=10m @@ -7252,7 +7252,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 1 Document count: 6 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -7278,7 +7278,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -7304,7 +7304,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -7328,7 +7328,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 2 Document count: 2 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7342,7 +7342,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 210 Document count: 210 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7361,7 +7361,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -7376,7 +7376,7 @@ not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox- Branch count: 560 Document count: 560 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python process where container.id: "*" and event.type== "start" @@ -7399,7 +7399,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 10 Document count: 10 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7413,7 +7413,7 @@ process.args : "*l*" and process.args_count >= 4 Branch count: 3 Document count: 3 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7430,7 +7430,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -7453,7 +7453,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 2 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python sequence by host.id with maxspan=1s @@ -7480,7 +7480,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 16 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by host.id with maxspan=10s @@ -7497,7 +7497,7 @@ sequence by host.id with maxspan=10s Branch count: 1 Document count: 1 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -7516,7 +7516,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python sequence by process.entity_id @@ -7536,7 +7536,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python sequence by process.entity_id @@ -7555,7 +7555,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python sequence by host.id with maxspan=1m @@ -7575,7 +7575,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python sequence by process.entity_id @@ -7600,7 +7600,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python sequence by process.entity_id @@ -7622,7 +7622,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python network where host.os.type == "linux" and event.type == "start" and @@ -7643,7 +7643,7 @@ event.action in ("connection_attempted", "ipv4_connection_attempt_event") and pr Branch count: 2 Document count: 4 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -7674,7 +7674,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7704,7 +7704,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and @@ -7721,7 +7721,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 3 Document count: 3 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7734,7 +7734,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -7746,7 +7746,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -7758,7 +7758,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 1 Document count: 1 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* @@ -7770,7 +7770,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* Branch count: 1 Document count: 1 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" @@ -7782,7 +7782,7 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and Branch count: 1 Document count: 1 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python configuration where event.dataset == "github.audit" and event.action == "org.add_member" @@ -7794,7 +7794,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.add Branch count: 6 Document count: 6 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -7808,7 +7808,7 @@ event.outcome:success Branch count: 4 Document count: 4 -Index: geneve-ut-611 +Index: geneve-ut-0611 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -7821,7 +7821,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -7833,7 +7833,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -7847,7 +7847,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -7859,7 +7859,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-617 +Index: geneve-ut-0617 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -7872,7 +7872,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python event.dataset:okta.system and event.category:authentication and @@ -7885,7 +7885,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 10 Document count: 10 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and @@ -7908,7 +7908,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/ Branch count: 2 Document count: 2 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -7920,7 +7920,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -7932,7 +7932,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -7944,7 +7944,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 6 Document count: 6 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7961,7 +7961,7 @@ not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/op Branch count: 36 Document count: 72 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -7976,7 +7976,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 5 Document count: 5 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and @@ -7995,7 +7995,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 2 Document count: 2 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8009,7 +8009,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8021,7 +8021,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8033,7 +8033,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8051,7 +8051,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -8064,7 +8064,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -8079,7 +8079,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 11 Document count: 11 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python process where host.os.type == "macos" and event.type : "start" and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and @@ -8092,7 +8092,7 @@ process where host.os.type == "macos" and event.type : "start" and process.name Branch count: 32 Document count: 32 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -8121,7 +8121,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python process where host.os.type == "macos" and event.type == "start" and @@ -8141,7 +8141,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8160,7 +8160,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-640 +Index: geneve-ut-0640 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8173,7 +8173,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8189,7 +8189,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8215,7 +8215,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8234,7 +8234,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-644 +Index: geneve-ut-0644 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8262,7 +8262,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8277,7 +8277,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8340,7 +8340,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 14 Document count: 14 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python any where host.os.type == "windows" and @@ -8365,7 +8365,7 @@ any where host.os.type == "windows" and Branch count: 3 Document count: 3 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python registry where host.os.type == "windows" and registry.path : ( @@ -8381,7 +8381,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 4 Document count: 4 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -8393,7 +8393,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 16 Document count: 16 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8410,7 +8410,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -8425,7 +8425,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 16 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python sequence by host.id, process.parent.entity_id with maxspan=5m @@ -8442,7 +8442,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python process where host.os.type == "linux" and event.type == "start" and @@ -8462,7 +8462,7 @@ event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "p Branch count: 2 Document count: 6 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python sequence by host.id, user.name with maxspan = 5s @@ -8491,7 +8491,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8504,7 +8504,7 @@ event.type == "change" and file.name : "notify_on_release" Branch count: 1 Document count: 1 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8517,7 +8517,7 @@ event.type == "change" and file.name : "release_agent" Branch count: 63 Document count: 63 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python process where event.type in ("start", "process_started", "info") and @@ -8541,7 +8541,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 12 Document count: 12 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python any where event.action : ("Directory Service Access", "object-operation-performed") and @@ -8576,7 +8576,7 @@ any where event.action : ("Directory Service Access", "object-operation-performe Branch count: 1 Document count: 1 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python process where host.os.type == "windows" and event.code == "10" and @@ -8594,7 +8594,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python process where host.os.type == "windows" and event.code == "10" and @@ -8617,7 +8617,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -8671,7 +8671,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python sequence by process.entity_id with maxspan=1m @@ -8689,7 +8689,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python sequence by process.entity_id @@ -8704,7 +8704,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python any where processor.name == "transaction" and @@ -8718,7 +8718,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8739,7 +8739,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8760,7 +8760,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -8785,7 +8785,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-684 +Index: geneve-ut-0684 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8798,7 +8798,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python file where host.os.type == "linux" and event.type != "deletion" and file.path == "/etc/doas.conf" @@ -8810,7 +8810,7 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path == Branch count: 2 Document count: 2 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8823,7 +8823,7 @@ process.parent.name == "proot" Branch count: 12 Document count: 12 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8841,7 +8841,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-688 +Index: geneve-ut-0688 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8854,7 +8854,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 4 -Index: geneve-ut-689 +Index: geneve-ut-0689 ```python sequence by process.entity_id with maxspan=3m @@ -8878,7 +8878,7 @@ sequence by process.entity_id with maxspan=3m Branch count: 42 Document count: 42 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python process where event.type == "start" and host.os.type == "windows" and @@ -8894,7 +8894,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-691 +Index: geneve-ut-0691 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8919,7 +8919,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and @@ -8932,7 +8932,7 @@ process.parent.args == "/etc/rc.local" and process.parent.args == "start" Branch count: 1 Document count: 4 -Index: geneve-ut-694 +Index: geneve-ut-0694 ```python sequence by host.id, user.id with maxspan=1s @@ -8954,7 +8954,7 @@ sequence by host.id, user.id with maxspan=1s Branch count: 204 Document count: 204 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8972,7 +8972,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-698 +Index: geneve-ut-0698 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8985,7 +8985,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8998,7 +8998,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9011,7 +9011,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9026,7 +9026,7 @@ not process.parent.command_line like "/opt/cloudlinux/*" Branch count: 60 Document count: 120 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python sequence by host.id with maxspan=1m @@ -9062,7 +9062,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python event.category:process and host.os.type:macos and event.type:start and @@ -9075,7 +9075,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9093,7 +9093,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -9107,7 +9107,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-710 +Index: geneve-ut-0710 ```python sequence by host.id with maxspan=30s @@ -9126,7 +9126,7 @@ sequence by host.id with maxspan=30s Branch count: 4 Document count: 4 -Index: geneve-ut-711 +Index: geneve-ut-0711 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9139,7 +9139,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 3 Document count: 6 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python sequence by host.id, process.parent.name with maxspan=1m @@ -9155,7 +9155,7 @@ sequence by host.id, process.parent.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9168,7 +9168,7 @@ process.name == "unshadow" and process.args_count >= 3 Branch count: 168 Document count: 168 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9198,7 +9198,7 @@ process.name in~ ( Branch count: 1 Document count: 10 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -9216,7 +9216,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 458 Document count: 458 -Index: geneve-ut-717 +Index: geneve-ut-0717 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9244,7 +9244,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9263,7 +9263,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python process where host.os.type == "windows" and @@ -9401,7 +9401,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python process where host.os.type == "windows" and @@ -9472,7 +9472,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python library where host.os.type == "windows" and event.action == "load" and @@ -9489,7 +9489,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 14 Document count: 14 -Index: geneve-ut-725 +Index: geneve-ut-0725 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9515,7 +9515,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-727 +Index: geneve-ut-0727 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -9527,7 +9527,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9568,7 +9568,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( @@ -9582,7 +9582,7 @@ network where process.name : ("http", "https") and destination.port not in (80, Branch count: 4 Document count: 8 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python sequence by process.entity_id with maxspan=1m @@ -9610,7 +9610,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -9651,7 +9651,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 2 Document count: 2 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python network where host.os.type == "windows" and @@ -9677,7 +9677,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -9690,7 +9690,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 85 Document count: 85 -Index: geneve-ut-740 +Index: geneve-ut-0740 ```python file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and @@ -9760,7 +9760,7 @@ file.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -9774,7 +9774,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-742 +Index: geneve-ut-0742 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -9787,7 +9787,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9811,7 +9811,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-744 +Index: geneve-ut-0744 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9831,7 +9831,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 45 Document count: 45 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python host.os.type:windows and event.category:process and @@ -9868,7 +9868,7 @@ host.os.type:windows and event.category:process and Branch count: 696 Document count: 696 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python event.category:process and host.os.type:windows and @@ -10061,7 +10061,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -10077,7 +10077,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-750 +Index: geneve-ut-0750 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -10091,7 +10091,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-751 +Index: geneve-ut-0751 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10108,7 +10108,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-752 +Index: geneve-ut-0752 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -10122,7 +10122,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-753 +Index: geneve-ut-0753 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -10138,7 +10138,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-757 +Index: geneve-ut-0757 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -10154,7 +10154,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -10166,7 +10166,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -10182,7 +10182,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python sequence by host.id with maxspan=1m @@ -10202,7 +10202,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -10214,7 +10214,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python iam where event.action == "renamed-user-account" and @@ -10228,7 +10228,7 @@ iam where event.action == "renamed-user-account" and Branch count: 18 Document count: 18 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python process where host.os.type == "windows" and event.action == "start" and @@ -10251,7 +10251,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python sequence by host.id, process.entity_id with maxspan=3s @@ -10272,7 +10272,7 @@ sequence by host.id, process.entity_id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python process where host.os.type == "linux" and event.type == "start" and @@ -10285,7 +10285,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-775 +Index: geneve-ut-0775 ```python file where host.os.type == "windows" and @@ -10300,7 +10300,7 @@ file where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python /* Identifies the modification of RDP Shadow registry or @@ -10328,7 +10328,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-777 +Index: geneve-ut-0777 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10343,7 +10343,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python sequence with maxspan=1m @@ -10385,7 +10385,7 @@ sequence with maxspan=1m Branch count: 864 Document count: 1728 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python sequence by host.id with maxspan=5s @@ -10405,7 +10405,7 @@ sequence by host.id with maxspan=5s Branch count: 80 Document count: 80 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python process where event.type in ("start", "process_started") and @@ -10426,7 +10426,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 32 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10440,7 +10440,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 432 Document count: 864 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -10460,7 +10460,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 288 Document count: 576 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python sequence by host.id with maxspan=5s @@ -10489,7 +10489,7 @@ sequence by host.id with maxspan=5s Branch count: 40 Document count: 40 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10505,7 +10505,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-789 +Index: geneve-ut-0789 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -10517,7 +10517,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 2 Document count: 2 -Index: geneve-ut-790 +Index: geneve-ut-0790 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -10531,7 +10531,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 32 Document count: 96 -Index: geneve-ut-792 +Index: geneve-ut-0792 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -10559,7 +10559,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-793 +Index: geneve-ut-0793 ```python sequence by host.id with maxspan=1s @@ -10581,7 +10581,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 8 -Index: geneve-ut-797 +Index: geneve-ut-0797 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -10610,7 +10610,7 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( Branch count: 4 Document count: 4 -Index: geneve-ut-798 +Index: geneve-ut-0798 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10623,7 +10623,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-799 +Index: geneve-ut-0799 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -10639,7 +10639,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-800 +Index: geneve-ut-0800 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10653,7 +10653,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-801 +Index: geneve-ut-0801 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -10683,7 +10683,7 @@ file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-802 +Index: geneve-ut-0802 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10696,7 +10696,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-803 +Index: geneve-ut-0803 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -10712,7 +10712,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-804 +Index: geneve-ut-0804 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10729,7 +10729,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-805 +Index: geneve-ut-0805 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -10742,7 +10742,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 4 Document count: 4 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and @@ -10759,7 +10759,7 @@ process.executable : ( Branch count: 8 Document count: 16 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -10775,7 +10775,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-812 +Index: geneve-ut-0812 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -10792,7 +10792,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 16 -Index: geneve-ut-813 +Index: geneve-ut-0813 ```python sequence by okta.actor.id with maxspan=10m @@ -10812,7 +10812,7 @@ sequence by okta.actor.id with maxspan=10m Branch count: 72 Document count: 72 -Index: geneve-ut-814 +Index: geneve-ut-0814 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10828,7 +10828,7 @@ process.parent.name in ("screen", "tmux") and process.name like ( Branch count: 21 Document count: 21 -Index: geneve-ut-815 +Index: geneve-ut-0815 ```python event.category:process and host.os.type:windows and @@ -10853,7 +10853,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-817 +Index: geneve-ut-0817 ```python event.category:process and host.os.type:windows and @@ -10872,7 +10872,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-819 +Index: geneve-ut-0819 ```python event.category:process and host.os.type:windows and @@ -10895,7 +10895,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -10907,7 +10907,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python event.category:process and host.os.type:windows and @@ -10931,7 +10931,7 @@ event.category:process and host.os.type:windows and Branch count: 6 Document count: 6 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10948,7 +10948,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 80 Document count: 80 -Index: geneve-ut-839 +Index: geneve-ut-0839 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "lp" and @@ -10968,7 +10968,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 4 Document count: 8 -Index: geneve-ut-842 +Index: geneve-ut-0842 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -11001,7 +11001,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 2 Document count: 4 -Index: geneve-ut-843 +Index: geneve-ut-0843 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=1m @@ -11018,7 +11018,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=1m Branch count: 4 Document count: 4 -Index: geneve-ut-844 +Index: geneve-ut-0844 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11032,7 +11032,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-845 +Index: geneve-ut-0845 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -11046,7 +11046,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-846 +Index: geneve-ut-0846 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -11059,7 +11059,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 426 Document count: 426 -Index: geneve-ut-847 +Index: geneve-ut-0847 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -11102,7 +11102,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 20 Document count: 20 -Index: geneve-ut-848 +Index: geneve-ut-0848 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11128,7 +11128,7 @@ registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-849 +Index: geneve-ut-0849 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -11145,7 +11145,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-852 +Index: geneve-ut-0852 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11159,7 +11159,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-853 +Index: geneve-ut-0853 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11173,7 +11173,7 @@ user.id != "0" Branch count: 2 Document count: 2 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11190,7 +11190,7 @@ process.name == "setcap" and not ( Branch count: 96 Document count: 96 -Index: geneve-ut-856 +Index: geneve-ut-0856 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -11265,7 +11265,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-857 +Index: geneve-ut-0857 ```python sequence by winlog.computer_name with maxspan=1m @@ -11286,7 +11286,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11305,7 +11305,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-859 +Index: geneve-ut-0859 ```python process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( @@ -11320,7 +11320,7 @@ not process.parent.name in ("amazon-ssm-agent", "snap") Branch count: 66 Document count: 66 -Index: geneve-ut-860 +Index: geneve-ut-0860 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11373,7 +11373,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-861 +Index: geneve-ut-0861 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11385,7 +11385,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-862 +Index: geneve-ut-0862 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11397,7 +11397,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-863 +Index: geneve-ut-0863 ```python process where host.os.type == "windows" and process.name: "MSBuild.exe" and @@ -11410,7 +11410,7 @@ process where host.os.type == "windows" and process.name: "MSBuild.exe" and Branch count: 114 Document count: 114 -Index: geneve-ut-864 +Index: geneve-ut-0864 ```python process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and @@ -11453,7 +11453,7 @@ not ( Branch count: 72 Document count: 144 -Index: geneve-ut-866 +Index: geneve-ut-0866 ```python sequence by host.id with maxspan=5s @@ -11501,7 +11501,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 4 -Index: geneve-ut-867 +Index: geneve-ut-0867 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -11514,7 +11514,7 @@ process.name : "* " Branch count: 4 Document count: 4 -Index: geneve-ut-868 +Index: geneve-ut-0868 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11551,7 +11551,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-869 +Index: geneve-ut-0869 ```python process where event.action == "exec" and host.os.type == "macos" and @@ -11571,7 +11571,7 @@ process where event.action == "exec" and host.os.type == "macos" and Branch count: 4 Document count: 4 -Index: geneve-ut-870 +Index: geneve-ut-0870 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11584,7 +11584,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-871 +Index: geneve-ut-0871 ```python sequence by process.entity_id @@ -11608,7 +11608,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-872 +Index: geneve-ut-0872 ```python file where event.action == "extended_attributes_delete" and host.os.type == "macos" and process.executable != null and @@ -11627,7 +11627,7 @@ file.path : "/private/var/folders/*" Branch count: 6 Document count: 6 -Index: geneve-ut-875 +Index: geneve-ut-0875 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11651,7 +11651,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 8 -Index: geneve-ut-876 +Index: geneve-ut-0876 ```python sequence by process.entity_id with maxspan=1m @@ -11666,7 +11666,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-880 +Index: geneve-ut-0880 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -11678,7 +11678,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-881 +Index: geneve-ut-0881 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -11690,7 +11690,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 3 Document count: 3 -Index: geneve-ut-887 +Index: geneve-ut-0887 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11707,7 +11707,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-888 +Index: geneve-ut-0888 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11737,7 +11737,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 18 Document count: 18 -Index: geneve-ut-890 +Index: geneve-ut-0890 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11752,7 +11752,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-891 +Index: geneve-ut-0891 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11771,7 +11771,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 13 Document count: 13 -Index: geneve-ut-893 +Index: geneve-ut-0893 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11788,7 +11788,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-894 +Index: geneve-ut-0894 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -11811,7 +11811,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-895 +Index: geneve-ut-0895 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11825,7 +11825,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-896 +Index: geneve-ut-0896 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11839,7 +11839,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-897 +Index: geneve-ut-0897 ```python sequence by process.entity_id with maxspan=30s @@ -11863,7 +11863,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-898 +Index: geneve-ut-0898 ```python sequence by host.id, process.entity_id @@ -11879,7 +11879,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-899 +Index: geneve-ut-0899 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -11894,7 +11894,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-900 +Index: geneve-ut-0900 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -11914,7 +11914,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 1 Document count: 1 -Index: geneve-ut-901 +Index: geneve-ut-0901 ```python iam where event.action == "scheduled-task-created" and @@ -11927,7 +11927,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 2 -Index: geneve-ut-903 +Index: geneve-ut-0903 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -11969,7 +11969,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-904 +Index: geneve-ut-0904 ```python sequence with maxspan=1m @@ -11992,7 +11992,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-905 +Index: geneve-ut-0905 ```python sequence with maxspan=1s @@ -12040,7 +12040,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-906 +Index: geneve-ut-0906 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12053,7 +12053,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-908 +Index: geneve-ut-0908 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12073,7 +12073,7 @@ process.name in ("update-ca-trust", "update-ca-certificates") and not ( Branch count: 2 Document count: 4 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=30s @@ -12090,7 +12090,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=30s Branch count: 48 Document count: 48 -Index: geneve-ut-910 +Index: geneve-ut-0910 ```python (event.dataset: (network_traffic.http or network_traffic.tls) or @@ -12137,7 +12137,7 @@ Index: geneve-ut-910 Branch count: 1 Document count: 1 -Index: geneve-ut-911 +Index: geneve-ut-0911 ```python event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com @@ -12150,7 +12150,7 @@ event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com Branch count: 4 Document count: 4 -Index: geneve-ut-912 +Index: geneve-ut-0912 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") @@ -12163,7 +12163,7 @@ and file.path : "/etc/selinux/config" Branch count: 32 Document count: 32 -Index: geneve-ut-913 +Index: geneve-ut-0913 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and @@ -12184,7 +12184,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-916 +Index: geneve-ut-0916 ```python (event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 @@ -12196,7 +12196,7 @@ Index: geneve-ut-916 Branch count: 6 Document count: 6 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python file where container.id:"*" and @@ -12209,7 +12209,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-919 +Index: geneve-ut-0919 ```python process where container.id: "*" and event.type == "start" and @@ -12230,7 +12230,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-920 +Index: geneve-ut-0920 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and @@ -12244,7 +12244,7 @@ not file.name : "known_hosts.*" Branch count: 6 Document count: 6 -Index: geneve-ut-921 +Index: geneve-ut-0921 ```python process where container.id: "*" and event.type== "start" and @@ -12258,7 +12258,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 2 Document count: 2 -Index: geneve-ut-922 +Index: geneve-ut-0922 ```python file where host.os.type == "linux" and event.type == "deletion" and file.path : "/etc/ssl/certs/*" and @@ -12271,7 +12271,7 @@ file.extension in ("pem", "crt") and not process.name in ("dockerd", "pacman") Branch count: 36 Document count: 36 -Index: geneve-ut-925 +Index: geneve-ut-0925 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12289,7 +12289,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-927 +Index: geneve-ut-0927 ```python sequence by host.id with maxspan = 30s @@ -12310,7 +12310,7 @@ sequence by host.id with maxspan = 30s Branch count: 6 Document count: 6 -Index: geneve-ut-929 +Index: geneve-ut-0929 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12327,7 +12327,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-930 +Index: geneve-ut-0930 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12342,7 +12342,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 27 Document count: 27 -Index: geneve-ut-931 +Index: geneve-ut-0931 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -12383,7 +12383,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-933 +Index: geneve-ut-0933 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -12417,7 +12417,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-934 +Index: geneve-ut-0934 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12431,7 +12431,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 112 Document count: 112 -Index: geneve-ut-935 +Index: geneve-ut-0935 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12451,7 +12451,7 @@ process.args like ( Branch count: 2 Document count: 2 -Index: geneve-ut-936 +Index: geneve-ut-0936 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12465,7 +12465,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 116 Document count: 116 -Index: geneve-ut-937 +Index: geneve-ut-0937 ```python process where event.type == "start" and @@ -12526,7 +12526,7 @@ process.name : "grep" and user.id != "0" and Branch count: 270 Document count: 270 -Index: geneve-ut-940 +Index: geneve-ut-0940 ```python process where container.id: "*" and event.type== "start" and @@ -12569,7 +12569,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-941 +Index: geneve-ut-0941 ```python process where container.id: "*" and event.type== "start" and @@ -12593,7 +12593,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-942 +Index: geneve-ut-0942 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -12606,7 +12606,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 6 Document count: 6 -Index: geneve-ut-943 +Index: geneve-ut-0943 ```python file where host.os.type == "windows" and @@ -12627,7 +12627,7 @@ file where host.os.type == "windows" and Branch count: 16 Document count: 32 -Index: geneve-ut-944 +Index: geneve-ut-0944 ```python sequence by process.entity_id with maxspan = 1m @@ -12644,7 +12644,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-945 +Index: geneve-ut-0945 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -12664,7 +12664,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-946 +Index: geneve-ut-0946 ```python sequence by winlog.computer_name with maxspan=5m @@ -12688,7 +12688,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-947 +Index: geneve-ut-0947 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12703,7 +12703,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-948 +Index: geneve-ut-0948 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12724,7 +12724,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-949 +Index: geneve-ut-0949 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12747,7 +12747,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-950 +Index: geneve-ut-0950 ```python process where event.type == "start" and process.name : "sc.exe" and @@ -12760,7 +12760,7 @@ process where event.type == "start" and process.name : "sc.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-951 +Index: geneve-ut-0951 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -12776,7 +12776,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-952 +Index: geneve-ut-0952 ```python file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and @@ -12789,7 +12789,7 @@ file.path == "/etc/shadow" and file.Ext.original.path != null Branch count: 1 Document count: 1 -Index: geneve-ut-953 +Index: geneve-ut-0953 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -12801,7 +12801,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 264 Document count: 264 -Index: geneve-ut-955 +Index: geneve-ut-0955 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( @@ -12849,7 +12849,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an Branch count: 72 Document count: 144 -Index: geneve-ut-956 +Index: geneve-ut-0956 ```python sequence by host.id with maxspan=5s @@ -12863,7 +12863,7 @@ sequence by host.id with maxspan=5s Branch count: 162 Document count: 162 -Index: geneve-ut-957 +Index: geneve-ut-0957 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -12885,7 +12885,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-958 +Index: geneve-ut-0958 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12904,7 +12904,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-959 +Index: geneve-ut-0959 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12918,7 +12918,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 42 Document count: 42 -Index: geneve-ut-960 +Index: geneve-ut-0960 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Start" and @@ -12945,7 +12945,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 12 Document count: 24 -Index: geneve-ut-974 +Index: geneve-ut-0974 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -12970,7 +12970,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-975 +Index: geneve-ut-0975 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13003,7 +13003,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-978 +Index: geneve-ut-0978 ```python beacon_stats.is_beaconing: true and @@ -13021,7 +13021,7 @@ not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or " Branch count: 1 Document count: 1 -Index: geneve-ut-979 +Index: geneve-ut-0979 ```python beacon_stats.beaconing_score: 3 @@ -13033,7 +13033,7 @@ beacon_stats.beaconing_score: 3 Branch count: 2 Document count: 6 -Index: geneve-ut-980 +Index: geneve-ut-0980 ```python sequence by user.name with maxspan=12h @@ -13048,7 +13048,7 @@ sequence by user.name with maxspan=12h Branch count: 4 Document count: 4 -Index: geneve-ut-981 +Index: geneve-ut-0981 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -13073,7 +13073,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-983 +Index: geneve-ut-0983 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13088,7 +13088,7 @@ not process.args == "dpkg" Branch count: 16 Document count: 16 -Index: geneve-ut-986 +Index: geneve-ut-0986 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13102,7 +13102,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-987 +Index: geneve-ut-0987 ```python event.category:process and host.os.type:windows and @@ -13133,7 +13133,7 @@ event.category:process and host.os.type:windows and Branch count: 16 Document count: 16 -Index: geneve-ut-988 +Index: geneve-ut-0988 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13148,7 +13148,7 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en Branch count: 152 Document count: 304 -Index: geneve-ut-989 +Index: geneve-ut-0989 ```python sequence by host.id with maxspan=5s @@ -13170,7 +13170,7 @@ sequence by host.id with maxspan=5s Branch count: 8 Document count: 16 -Index: geneve-ut-990 +Index: geneve-ut-0990 ```python sequence by host.id with maxspan=5s @@ -13197,7 +13197,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-992 +Index: geneve-ut-0992 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -13209,7 +13209,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 4 Document count: 4 -Index: geneve-ut-993 +Index: geneve-ut-0993 ```python file where host.os.type == "windows" and event.type != "deletion" and file.path != null and @@ -13241,7 +13241,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path Branch count: 2 Document count: 4 -Index: geneve-ut-994 +Index: geneve-ut-0994 ```python sequence by host.id with maxspan=30s @@ -13255,7 +13255,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-995 +Index: geneve-ut-0995 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13287,7 +13287,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-996 +Index: geneve-ut-0996 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -13311,7 +13311,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-997 +Index: geneve-ut-0997 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13325,7 +13325,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-998 +Index: geneve-ut-0998 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13348,7 +13348,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-999 +Index: geneve-ut-0999 ```python process where host.os.type == "windows" and event.type == "start" and diff --git a/tests/reports/alerts_from_rules-serverless.md b/tests/reports/alerts_from_rules-serverless.md index 7ae1c68e..94ad0b42 100644 --- a/tests/reports/alerts_from_rules-serverless.md +++ b/tests/reports/alerts_from_rules-serverless.md @@ -20,7 +20,7 @@ Rules version: 8.16.1 Branch count: 2048 Document count: 22528 -Index: geneve-ut-796 +Index: geneve-ut-0796 Failure message(s): SDE says: > search_phase_execution_exception @@ -46,7 +46,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 ```python sequence by host.id, user.id with maxspan=1m @@ -71,7 +71,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -90,7 +90,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -109,7 +109,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -169,7 +169,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 8748 Document count: 17496 -Index: geneve-ut-892 +Index: geneve-ut-0892 ```python sequence with maxspan=1m @@ -274,7 +274,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-491 +Index: geneve-ut-0491 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -287,7 +287,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-496 +Index: geneve-ut-0496 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -300,7 +300,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4 Document count: 8 -Index: geneve-ut-731 +Index: geneve-ut-0731 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -320,7 +320,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4608 Document count: 13824 -Index: geneve-ut-337 +Index: geneve-ut-0337 Failure message(s): got 1000 signals, expected 4608 @@ -347,7 +347,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-696 +Index: geneve-ut-0696 Failure message(s): got 1000 signals, expected 1024 @@ -368,7 +368,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-703 +Index: geneve-ut-0703 Failure message(s): got 1000 signals, expected 1024 @@ -389,7 +389,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 6 Document count: 12 -Index: geneve-ut-754 +Index: geneve-ut-0754 Failure message(s): got 5 signals, expected 6 @@ -406,7 +406,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5s Branch count: 1794 Document count: 1794 -Index: geneve-ut-761 +Index: geneve-ut-0761 Failure message(s): got 1000 signals, expected 1794 @@ -468,7 +468,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 32 Document count: 64 -Index: geneve-ut-841 +Index: geneve-ut-0841 Failure message(s): got 24 signals, expected 32 @@ -493,7 +493,7 @@ sequence by host.id, process.pid with maxspan=1s Branch count: 8748 Document count: 17496 -Index: geneve-ut-892 +Index: geneve-ut-0892 Failure message(s): got 1000 signals, expected 8748 @@ -623,7 +623,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-000 +Index: geneve-ut-0000 ```python iam where event.action == "scheduled-task-created" and @@ -650,7 +650,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 1 -Index: geneve-ut-001 +Index: geneve-ut-0001 ```python iam where event.action == "scheduled-task-updated" and @@ -680,7 +680,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 8 Document count: 8 -Index: geneve-ut-002 +Index: geneve-ut-0002 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -716,7 +716,7 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-0008 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -728,7 +728,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-009 +Index: geneve-ut-0009 ```python event.dataset:aws.cloudtrail @@ -743,7 +743,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-0010 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -755,7 +755,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-011 +Index: geneve-ut-0011 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -767,7 +767,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-012 +Index: geneve-ut-0012 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -779,7 +779,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-0013 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -791,7 +791,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-014 +Index: geneve-ut-0014 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -803,7 +803,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-015 +Index: geneve-ut-0015 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -818,7 +818,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-016 +Index: geneve-ut-0016 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -830,7 +830,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-017 +Index: geneve-ut-0017 ```python process where event.module == "cloud_defend" and @@ -847,7 +847,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-018 +Index: geneve-ut-0018 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -860,7 +860,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-022 +Index: geneve-ut-0022 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -872,7 +872,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-023 +Index: geneve-ut-0023 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -886,7 +886,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-024 +Index: geneve-ut-0024 ```python event.dataset: aws.cloudtrail @@ -901,7 +901,7 @@ event.dataset: aws.cloudtrail Branch count: 2 Document count: 2 -Index: geneve-ut-028 +Index: geneve-ut-0028 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -913,7 +913,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-029 +Index: geneve-ut-0029 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -925,7 +925,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 6 Document count: 6 -Index: geneve-ut-030 +Index: geneve-ut-0030 ```python event.dataset: "aws.cloudtrail" @@ -946,7 +946,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-0031 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -958,7 +958,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-032 +Index: geneve-ut-0032 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -970,7 +970,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-033 +Index: geneve-ut-0033 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -983,7 +983,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-0034 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -996,7 +996,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-035 +Index: geneve-ut-0035 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -1010,7 +1010,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-036 +Index: geneve-ut-0036 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -1023,7 +1023,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-037 +Index: geneve-ut-0037 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -1035,7 +1035,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-0041 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -1047,7 +1047,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-0046 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -1059,7 +1059,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-047 +Index: geneve-ut-0047 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -1071,7 +1071,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-0048 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -1083,7 +1083,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-049 +Index: geneve-ut-0049 ```python event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" @@ -1096,7 +1096,7 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-050 +Index: geneve-ut-0050 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -1108,7 +1108,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-0051 ```python event.dataset:aws.cloudtrail @@ -1123,7 +1123,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-052 +Index: geneve-ut-0052 ```python event.dataset: aws.cloudtrail @@ -1139,7 +1139,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-0053 ```python event.dataset:aws.cloudtrail @@ -1154,7 +1154,7 @@ event.dataset:aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-0054 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -1166,7 +1166,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-056 +Index: geneve-ut-0056 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -1178,7 +1178,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-057 +Index: geneve-ut-0057 ```python event.dataset: "aws.cloudtrail" @@ -1193,7 +1193,7 @@ event.dataset: "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-059 +Index: geneve-ut-0059 ```python event.dataset: aws.cloudtrail @@ -1208,7 +1208,7 @@ event.dataset: aws.cloudtrail Branch count: 1 Document count: 1 -Index: geneve-ut-061 +Index: geneve-ut-0061 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -1220,7 +1220,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-062 +Index: geneve-ut-0062 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -1232,7 +1232,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-064 +Index: geneve-ut-0064 ```python any where event.dataset == "aws.cloudtrail" @@ -1247,7 +1247,7 @@ any where event.dataset == "aws.cloudtrail" Branch count: 2 Document count: 2 -Index: geneve-ut-067 +Index: geneve-ut-0067 ```python event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" @@ -1260,7 +1260,7 @@ event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" Branch count: 1 Document count: 1 -Index: geneve-ut-069 +Index: geneve-ut-0069 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -1272,7 +1272,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-070 +Index: geneve-ut-0070 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -1284,7 +1284,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-071 +Index: geneve-ut-0071 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -1296,7 +1296,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-072 +Index: geneve-ut-0072 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -1308,7 +1308,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-074 +Index: geneve-ut-0074 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -1320,7 +1320,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-075 +Index: geneve-ut-0075 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -1332,7 +1332,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-076 +Index: geneve-ut-0076 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -1347,7 +1347,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-077 +Index: geneve-ut-0077 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -1359,7 +1359,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-078 +Index: geneve-ut-0078 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -1371,7 +1371,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-079 +Index: geneve-ut-0079 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1384,7 +1384,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-080 +Index: geneve-ut-0080 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1397,7 +1397,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-081 +Index: geneve-ut-0081 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1410,7 +1410,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-082 +Index: geneve-ut-0082 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1425,7 +1425,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-096 +Index: geneve-ut-0096 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1438,7 +1438,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-103 +Index: geneve-ut-0103 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1450,7 +1450,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-0104 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1462,7 +1462,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-105 +Index: geneve-ut-0105 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1474,7 +1474,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-108 +Index: geneve-ut-0108 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1490,7 +1490,7 @@ Index: geneve-ut-108 Branch count: 4 Document count: 4 -Index: geneve-ut-109 +Index: geneve-ut-0109 ```python process where host.os.type == "linux" and event.type == "start" and @@ -1507,7 +1507,7 @@ process.name == "setfacl" and not ( Branch count: 12 Document count: 12 -Index: geneve-ut-110 +Index: geneve-ut-0110 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1552,7 +1552,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 8 Document count: 8 -Index: geneve-ut-111 +Index: geneve-ut-0111 ```python any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and @@ -1587,7 +1587,7 @@ any where event.action in ("Directory Service Access", "object-operation-perform Branch count: 4 Document count: 4 -Index: geneve-ut-112 +Index: geneve-ut-0112 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1604,7 +1604,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-114 +Index: geneve-ut-0114 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1624,7 +1624,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-115 +Index: geneve-ut-0115 ```python sequence by winlog.computer_name with maxspan=1m @@ -1652,7 +1652,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 48 Document count: 48 -Index: geneve-ut-116 +Index: geneve-ut-0116 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -1670,7 +1670,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 1 Document count: 1 -Index: geneve-ut-118 +Index: geneve-ut-0118 ```python iam where winlog.api == "wineventlog" and event.code == "4728" and @@ -1686,7 +1686,7 @@ not group.id : "S-1-5-21-*-513" Branch count: 36 Document count: 36 -Index: geneve-ut-119 +Index: geneve-ut-0119 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1706,7 +1706,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-120 +Index: geneve-ut-0120 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1720,7 +1720,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-0121 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and @@ -1733,7 +1733,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 1 Document count: 1 -Index: geneve-ut-123 +Index: geneve-ut-0123 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1745,7 +1745,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-124 +Index: geneve-ut-0124 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1757,7 +1757,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-125 +Index: geneve-ut-0125 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1772,7 +1772,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-126 +Index: geneve-ut-0126 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1784,7 +1784,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 2 Document count: 2 -Index: geneve-ut-127 +Index: geneve-ut-0127 ```python event.agent_id_status:(agent_id_mismatch or mismatch) @@ -1796,7 +1796,7 @@ event.agent_id_status:(agent_id_mismatch or mismatch) Branch count: 1 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-0134 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1815,7 +1815,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-0135 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -1831,7 +1831,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-136 +Index: geneve-ut-0136 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1843,7 +1843,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-137 +Index: geneve-ut-0137 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1858,7 +1858,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 8 Document count: 8 -Index: geneve-ut-139 +Index: geneve-ut-0139 ```python file where host.os.type == "linux" and @@ -1888,7 +1888,7 @@ event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/* Branch count: 1 Document count: 1 -Index: geneve-ut-140 +Index: geneve-ut-0140 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1900,7 +1900,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 4 Document count: 4 -Index: geneve-ut-141 +Index: geneve-ut-0141 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -1913,7 +1913,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-142 +Index: geneve-ut-0142 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1925,7 +1925,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-143 +Index: geneve-ut-0143 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1937,7 +1937,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-144 +Index: geneve-ut-0144 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1949,7 +1949,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-145 +Index: geneve-ut-0145 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1961,7 +1961,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-146 +Index: geneve-ut-0146 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1973,7 +1973,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-147 +Index: geneve-ut-0147 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1985,7 +1985,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-148 +Index: geneve-ut-0148 ```python event.dataset:okta.system and event.action:zone.delete @@ -1997,7 +1997,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-149 +Index: geneve-ut-0149 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -2009,7 +2009,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-150 +Index: geneve-ut-0150 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -2021,7 +2021,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 20 Document count: 20 -Index: geneve-ut-151 +Index: geneve-ut-0151 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -2038,7 +2038,7 @@ process.args in ("auditd", "auditd.service") Branch count: 2 Document count: 2 -Index: geneve-ut-152 +Index: geneve-ut-0152 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2051,7 +2051,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 74 Document count: 74 -Index: geneve-ut-153 +Index: geneve-ut-0153 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2079,7 +2079,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-154 +Index: geneve-ut-0154 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2095,7 +2095,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-155 +Index: geneve-ut-0155 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2108,7 +2108,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-156 +Index: geneve-ut-0156 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2122,7 +2122,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 10 Document count: 10 -Index: geneve-ut-157 +Index: geneve-ut-0157 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2145,7 +2145,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-158 +Index: geneve-ut-0158 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2160,7 +2160,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-159 +Index: geneve-ut-0159 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -2172,7 +2172,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-160 +Index: geneve-ut-0160 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -2184,7 +2184,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-161 +Index: geneve-ut-0161 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -2196,7 +2196,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-162 +Index: geneve-ut-0162 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -2208,7 +2208,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 8 Document count: 8 -Index: geneve-ut-163 +Index: geneve-ut-0163 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -2227,7 +2227,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-164 +Index: geneve-ut-0164 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -2239,7 +2239,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-166 +Index: geneve-ut-0166 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -2251,7 +2251,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-167 +Index: geneve-ut-0167 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -2264,7 +2264,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-168 +Index: geneve-ut-0168 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -2276,7 +2276,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 3 Document count: 3 -Index: geneve-ut-169 +Index: geneve-ut-0169 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2306,7 +2306,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-173 +Index: geneve-ut-0173 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -2321,7 +2321,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-174 +Index: geneve-ut-0174 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2335,7 +2335,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-175 +Index: geneve-ut-0175 ```python event.dataset:azure.signinlogs and @@ -2349,7 +2349,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-176 +Index: geneve-ut-0176 ```python event.dataset:azure.signinlogs and @@ -2362,7 +2362,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-177 +Index: geneve-ut-0177 ```python event.dataset:azure.signinlogs and @@ -2376,7 +2376,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-178 +Index: geneve-ut-0178 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -2389,7 +2389,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-179 +Index: geneve-ut-0179 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -2401,7 +2401,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-180 +Index: geneve-ut-0180 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -2413,7 +2413,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-181 +Index: geneve-ut-0181 ```python event.dataset:azure.activitylogs and @@ -2432,7 +2432,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-182 +Index: geneve-ut-0182 ```python event.dataset:azure.activitylogs and @@ -2446,7 +2446,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-183 +Index: geneve-ut-0183 ```python event.dataset:azure.activitylogs and @@ -2464,7 +2464,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-184 +Index: geneve-ut-0184 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2476,7 +2476,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-185 +Index: geneve-ut-0185 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2491,7 +2491,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-0186 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2503,7 +2503,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-187 +Index: geneve-ut-0187 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2516,7 +2516,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-188 +Index: geneve-ut-0188 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2528,7 +2528,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-191 +Index: geneve-ut-0191 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2540,7 +2540,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-192 +Index: geneve-ut-0192 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2552,7 +2552,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-193 +Index: geneve-ut-0193 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -2564,7 +2564,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 2 Document count: 2 -Index: geneve-ut-194 +Index: geneve-ut-0194 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2576,7 +2576,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-195 +Index: geneve-ut-0195 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2588,7 +2588,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-196 +Index: geneve-ut-0196 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2606,7 +2606,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-197 +Index: geneve-ut-0197 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2622,7 +2622,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-198 +Index: geneve-ut-0198 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2634,7 +2634,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-199 +Index: geneve-ut-0199 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2647,7 +2647,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-200 +Index: geneve-ut-0200 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2660,7 +2660,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-201 +Index: geneve-ut-0201 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2675,7 +2675,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-202 +Index: geneve-ut-0202 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2687,7 +2687,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-203 +Index: geneve-ut-0203 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2699,7 +2699,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-204 +Index: geneve-ut-0204 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2711,7 +2711,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-205 +Index: geneve-ut-0205 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2723,7 +2723,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-206 +Index: geneve-ut-0206 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2735,7 +2735,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-207 +Index: geneve-ut-0207 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2747,7 +2747,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-208 +Index: geneve-ut-0208 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2765,7 +2765,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-209 +Index: geneve-ut-0209 ```python process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and @@ -2779,7 +2779,7 @@ not process.parent.executable == "/usr/sbin/libvirtd" Branch count: 16 Document count: 16 -Index: geneve-ut-210 +Index: geneve-ut-0210 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -2793,7 +2793,7 @@ not process.args in ("--help", "--version") Branch count: 9 Document count: 9 -Index: geneve-ut-211 +Index: geneve-ut-0211 ```python event.category:file and event.type:change and @@ -2818,7 +2818,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-212 +Index: geneve-ut-0212 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2833,7 +2833,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-213 +Index: geneve-ut-0213 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -2848,7 +2848,7 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ Branch count: 13 Document count: 13 -Index: geneve-ut-214 +Index: geneve-ut-0214 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2870,7 +2870,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-215 +Index: geneve-ut-0215 ```python file where host.os.type == "windows" and event.type : "creation" and @@ -2899,7 +2899,7 @@ file where host.os.type == "windows" and event.type : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-216 +Index: geneve-ut-0216 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2920,7 +2920,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-218 +Index: geneve-ut-0218 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2940,7 +2940,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 36 Document count: 36 -Index: geneve-ut-219 +Index: geneve-ut-0219 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2961,7 +2961,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-220 +Index: geneve-ut-0220 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2986,7 +2986,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-222 +Index: geneve-ut-0222 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3000,7 +3000,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-223 +Index: geneve-ut-0223 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3018,7 +3018,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-224 +Index: geneve-ut-0224 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -3038,7 +3038,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-225 +Index: geneve-ut-0225 ```python sequence by process.entity_id @@ -3061,7 +3061,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-226 +Index: geneve-ut-0226 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3078,7 +3078,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-227 +Index: geneve-ut-0227 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3140,7 +3140,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 12 Document count: 12 -Index: geneve-ut-228 +Index: geneve-ut-0228 ```python library where host.os.type == "windows" and event.action == "load" and @@ -3170,7 +3170,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 24 Document count: 24 -Index: geneve-ut-230 +Index: geneve-ut-0230 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -3195,7 +3195,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-232 +Index: geneve-ut-0232 ```python sequence by process.entity_id @@ -3216,7 +3216,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-233 +Index: geneve-ut-0233 ```python sequence by process.entity_id @@ -3237,7 +3237,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-234 +Index: geneve-ut-0234 ```python process where container.id: "*" and event.type== "start" @@ -3250,7 +3250,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-235 +Index: geneve-ut-0235 ```python event.kind:alert and event.module:cloud_defend @@ -3262,7 +3262,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 12 Document count: 12 -Index: geneve-ut-236 +Index: geneve-ut-0236 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3285,7 +3285,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 5 Document count: 5 -Index: geneve-ut-238 +Index: geneve-ut-0238 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3305,7 +3305,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-239 +Index: geneve-ut-0239 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and @@ -3318,7 +3318,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-240 +Index: geneve-ut-0240 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and @@ -3331,7 +3331,7 @@ not process.name == "dockerd" Branch count: 2 Document count: 2 -Index: geneve-ut-241 +Index: geneve-ut-0241 ```python file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and @@ -3346,7 +3346,7 @@ file.extension == "ko" and not process.name : ( Branch count: 1 Document count: 1 -Index: geneve-ut-242 +Index: geneve-ut-0242 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -3363,7 +3363,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-243 +Index: geneve-ut-0243 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -3377,7 +3377,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 3 Document count: 3 -Index: geneve-ut-244 +Index: geneve-ut-0244 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3394,7 +3394,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-245 +Index: geneve-ut-0245 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -3406,7 +3406,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 12 Document count: 12 -Index: geneve-ut-247 +Index: geneve-ut-0247 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Blob" and @@ -3455,7 +3455,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-248 +Index: geneve-ut-0248 ```python file where host.os.type == "windows" and event.type != "deletion" and event.action != "open" and @@ -3473,7 +3473,7 @@ file where host.os.type == "windows" and event.type != "deletion" and event.acti Branch count: 8 Document count: 8 -Index: geneve-ut-249 +Index: geneve-ut-0249 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3488,7 +3488,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-250 +Index: geneve-ut-0250 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3500,7 +3500,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-251 +Index: geneve-ut-0251 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -3512,7 +3512,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-252 +Index: geneve-ut-0252 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3524,7 +3524,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-253 +Index: geneve-ut-0253 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -3536,7 +3536,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 80 Document count: 80 -Index: geneve-ut-254 +Index: geneve-ut-0254 ```python file where host.os.type == "linux" and @@ -3578,7 +3578,7 @@ event.action in ("rename", "creation") and file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-255 +Index: geneve-ut-0255 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3598,7 +3598,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 128 Document count: 128 -Index: geneve-ut-256 +Index: geneve-ut-0256 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -3620,7 +3620,7 @@ process.name == "curl" and ( Branch count: 1 Document count: 1 -Index: geneve-ut-257 +Index: geneve-ut-0257 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -3632,7 +3632,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-258 +Index: geneve-ut-0258 ```python event.dataset:cyberarkpas.audit and @@ -3647,7 +3647,7 @@ event.dataset:cyberarkpas.audit and Branch count: 16 Document count: 16 -Index: geneve-ut-259 +Index: geneve-ut-0259 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -3678,7 +3678,7 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* Branch count: 3 Document count: 3 -Index: geneve-ut-260 +Index: geneve-ut-0260 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3694,7 +3694,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 5 Document count: 5 -Index: geneve-ut-262 +Index: geneve-ut-0262 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3712,7 +3712,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-264 +Index: geneve-ut-0264 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -3727,7 +3727,7 @@ Index: geneve-ut-264 Branch count: 2 Document count: 2 -Index: geneve-ut-266 +Index: geneve-ut-0266 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3741,7 +3741,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-267 +Index: geneve-ut-0267 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3755,7 +3755,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-270 +Index: geneve-ut-0270 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "mkdir" and @@ -3769,7 +3769,7 @@ not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir") Branch count: 12 Document count: 12 -Index: geneve-ut-271 +Index: geneve-ut-0271 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3797,7 +3797,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-272 +Index: geneve-ut-0272 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3814,7 +3814,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-273 +Index: geneve-ut-0273 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -3839,7 +3839,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 24 Document count: 24 -Index: geneve-ut-274 +Index: geneve-ut-0274 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3856,7 +3856,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-275 +Index: geneve-ut-0275 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3871,7 +3871,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-278 +Index: geneve-ut-0278 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3883,7 +3883,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-281 +Index: geneve-ut-0281 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3896,7 +3896,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-282 +Index: geneve-ut-0282 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3908,7 +3908,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 10 Document count: 20 -Index: geneve-ut-283 +Index: geneve-ut-0283 ```python sequence by process.entity_id with maxspan=1m @@ -3926,7 +3926,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 24 Document count: 24 -Index: geneve-ut-284 +Index: geneve-ut-0284 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -3961,7 +3961,7 @@ not ( Branch count: 12 Document count: 12 -Index: geneve-ut-286 +Index: geneve-ut-0286 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3976,7 +3976,7 @@ not process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewag Branch count: 108 Document count: 108 -Index: geneve-ut-287 +Index: geneve-ut-0287 ```python process where host.os.type == "linux" and event.type == "start" and @@ -3992,7 +3992,7 @@ not process.parent.executable == "/usr/share/qemu/init/qemu-kvm-init" Branch count: 12 Document count: 12 -Index: geneve-ut-288 +Index: geneve-ut-0288 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -4006,7 +4006,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 2 Document count: 2 -Index: geneve-ut-289 +Index: geneve-ut-0289 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -4018,7 +4018,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 1 Document count: 2 -Index: geneve-ut-290 +Index: geneve-ut-0290 ```python sequence by host.id with maxspan=3s @@ -4041,7 +4041,7 @@ sequence by host.id with maxspan=3s Branch count: 203 Document count: 203 -Index: geneve-ut-291 +Index: geneve-ut-0291 ```python process where @@ -4072,7 +4072,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-292 +Index: geneve-ut-0292 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -4085,7 +4085,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-293 +Index: geneve-ut-0293 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4099,7 +4099,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 1 Document count: 1 -Index: geneve-ut-294 +Index: geneve-ut-0294 ```python registry where host.os.type == "windows" and @@ -4113,7 +4113,7 @@ registry where host.os.type == "windows" and Branch count: 16 Document count: 16 -Index: geneve-ut-295 +Index: geneve-ut-0295 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4148,7 +4148,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-296 +Index: geneve-ut-0296 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -4160,7 +4160,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 3 Document count: 3 -Index: geneve-ut-297 +Index: geneve-ut-0297 ```python event.dataset:(azure.activitylogs or azure.signinlogs) @@ -4177,7 +4177,7 @@ event.dataset:(azure.activitylogs or azure.signinlogs) Branch count: 2 Document count: 2 -Index: geneve-ut-298 +Index: geneve-ut-0298 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4191,7 +4191,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-299 +Index: geneve-ut-0299 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4210,7 +4210,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-301 +Index: geneve-ut-0301 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4237,7 +4237,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 276 Document count: 276 -Index: geneve-ut-305 +Index: geneve-ut-0305 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -4268,7 +4268,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-306 +Index: geneve-ut-0306 ```python event.category:process and host.os.type:windows and @@ -4281,7 +4281,7 @@ event.category:process and host.os.type:windows and Branch count: 378 Document count: 378 -Index: geneve-ut-307 +Index: geneve-ut-0307 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4310,7 +4310,7 @@ process.args : ( Branch count: 64 Document count: 64 -Index: geneve-ut-309 +Index: geneve-ut-0309 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -4338,7 +4338,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-310 +Index: geneve-ut-0310 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4351,7 +4351,7 @@ process.name : ("kworker*", "kthread*") and process.executable != null Branch count: 4 Document count: 8 -Index: geneve-ut-312 +Index: geneve-ut-0312 ```python sequence by process.entity_id with maxspan=5m @@ -4371,7 +4371,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 4 Document count: 4 -Index: geneve-ut-313 +Index: geneve-ut-0313 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4395,7 +4395,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 72 Document count: 144 -Index: geneve-ut-314 +Index: geneve-ut-0314 ```python sequence with maxspan=2h @@ -4421,7 +4421,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-315 +Index: geneve-ut-0315 ```python sequence with maxspan=2h @@ -4446,7 +4446,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-316 +Index: geneve-ut-0316 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -4475,7 +4475,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-318 +Index: geneve-ut-0318 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -4487,7 +4487,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-320 +Index: geneve-ut-0320 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -4510,7 +4510,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-321 +Index: geneve-ut-0321 ```python sequence by user.id with maxspan=5s @@ -4525,7 +4525,7 @@ sequence by user.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-322 +Index: geneve-ut-0322 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -4537,7 +4537,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 6 Document count: 6 -Index: geneve-ut-323 +Index: geneve-ut-0323 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4557,7 +4557,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-324 +Index: geneve-ut-0324 ```python process where host.os.type == "windows" and event.type : "start" and @@ -4591,7 +4591,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-0325 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -4603,7 +4603,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-326 +Index: geneve-ut-0326 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4617,7 +4617,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-327 +Index: geneve-ut-0327 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -4630,7 +4630,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-328 +Index: geneve-ut-0328 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4642,7 +4642,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-329 +Index: geneve-ut-0329 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -4654,7 +4654,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 6 Document count: 6 -Index: geneve-ut-330 +Index: geneve-ut-0330 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4668,7 +4668,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-331 +Index: geneve-ut-0331 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -4680,7 +4680,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 1 Document count: 1 -Index: geneve-ut-335 +Index: geneve-ut-0335 ```python file where host.os.type == "windows" and event.code : "2" and @@ -4712,7 +4712,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 16 Document count: 32 -Index: geneve-ut-336 +Index: geneve-ut-0336 ```python sequence by host.id with maxspan=10s @@ -4729,7 +4729,7 @@ sequence by host.id with maxspan=10s Branch count: 4 Document count: 4 -Index: geneve-ut-338 +Index: geneve-ut-0338 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( @@ -4743,7 +4743,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 20 Document count: 20 -Index: geneve-ut-339 +Index: geneve-ut-0339 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -4759,7 +4759,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-341 +Index: geneve-ut-0341 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -4774,7 +4774,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-342 +Index: geneve-ut-0342 ```python process where event.module == "cloud_defend" and @@ -4789,7 +4789,7 @@ process where event.module == "cloud_defend" and Branch count: 375 Document count: 750 -Index: geneve-ut-343 +Index: geneve-ut-0343 ```python sequence by process.entity_id @@ -4816,7 +4816,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-344 +Index: geneve-ut-0344 ```python process where event.type == "start" and host.os.type == "windows" and @@ -4837,7 +4837,7 @@ not ( Branch count: 2 Document count: 2 -Index: geneve-ut-345 +Index: geneve-ut-0345 ```python process where host.os.type == "linux" and event.type == "start" and process.parent.executable != null and @@ -4856,7 +4856,7 @@ process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and n Branch count: 11 Document count: 11 -Index: geneve-ut-346 +Index: geneve-ut-0346 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4882,7 +4882,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-348 +Index: geneve-ut-0348 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -4912,7 +4912,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-369 +Index: geneve-ut-0369 ```python event.dataset: google_workspace.alert @@ -4924,7 +4924,7 @@ event.dataset: google_workspace.alert Branch count: 8 Document count: 8 -Index: geneve-ut-370 +Index: geneve-ut-0370 ```python registry where host.os.type == "windows" and @@ -4942,7 +4942,7 @@ registry where host.os.type == "windows" and Branch count: 2 Document count: 2 -Index: geneve-ut-371 +Index: geneve-ut-0371 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -4954,7 +4954,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-372 +Index: geneve-ut-0372 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -4966,7 +4966,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-373 +Index: geneve-ut-0373 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -4978,7 +4978,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-374 +Index: geneve-ut-0374 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -4990,7 +4990,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-375 +Index: geneve-ut-0375 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -5002,7 +5002,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-376 +Index: geneve-ut-0376 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -5014,7 +5014,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-377 +Index: geneve-ut-0377 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -5026,7 +5026,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-378 +Index: geneve-ut-0378 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -5038,7 +5038,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-379 +Index: geneve-ut-0379 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -5050,7 +5050,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-380 +Index: geneve-ut-0380 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -5062,7 +5062,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-381 +Index: geneve-ut-0381 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -5074,7 +5074,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-382 +Index: geneve-ut-0382 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -5086,7 +5086,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-383 +Index: geneve-ut-0383 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -5098,7 +5098,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-384 +Index: geneve-ut-0384 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -5110,7 +5110,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-385 +Index: geneve-ut-0385 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -5122,7 +5122,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-386 +Index: geneve-ut-0386 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -5134,7 +5134,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-387 +Index: geneve-ut-0387 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -5146,7 +5146,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-388 +Index: geneve-ut-0388 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -5158,7 +5158,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-389 +Index: geneve-ut-0389 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -5170,7 +5170,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-390 +Index: geneve-ut-0390 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -5182,7 +5182,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-391 +Index: geneve-ut-0391 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -5194,7 +5194,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-392 +Index: geneve-ut-0392 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -5206,7 +5206,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-393 +Index: geneve-ut-0393 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -5218,7 +5218,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 575 Document count: 575 -Index: geneve-ut-394 +Index: geneve-ut-0394 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ( @@ -5242,7 +5242,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 64 Document count: 128 -Index: geneve-ut-395 +Index: geneve-ut-0395 ```python sequence by host.id with maxspan=3s @@ -5260,7 +5260,7 @@ sequence by host.id with maxspan=3s Branch count: 4 Document count: 4 -Index: geneve-ut-396 +Index: geneve-ut-0396 ```python file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and @@ -5288,7 +5288,7 @@ file.extension == null and process.executable != null and not ( Branch count: 8 Document count: 16 -Index: geneve-ut-397 +Index: geneve-ut-0397 ```python sequence by host.id with maxspan=3s @@ -5313,7 +5313,7 @@ sequence by host.id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-398 +Index: geneve-ut-0398 ```python configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" @@ -5325,7 +5325,7 @@ configuration where event.dataset == "github.audit" and github.category == "inte Branch count: 1 Document count: 1 -Index: geneve-ut-399 +Index: geneve-ut-0399 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -5337,7 +5337,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-400 +Index: geneve-ut-0400 ```python configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" @@ -5349,7 +5349,7 @@ configuration where event.dataset == "github.audit" and event.action == "persona Branch count: 1 Document count: 1 -Index: geneve-ut-401 +Index: geneve-ut-0401 ```python configuration where event.dataset == "github.audit" @@ -5362,7 +5362,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-402 +Index: geneve-ut-0402 ```python configuration where event.dataset == "github.audit" and event.action == "repo.create" @@ -5374,7 +5374,7 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr Branch count: 1 Document count: 1 -Index: geneve-ut-403 +Index: geneve-ut-0403 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -5386,7 +5386,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-405 +Index: geneve-ut-0405 ```python configuration where event.dataset == "github.audit" and event.action == "org.block_user" @@ -5398,7 +5398,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.blo Branch count: 1 Document count: 1 -Index: geneve-ut-406 +Index: geneve-ut-0406 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -5411,7 +5411,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-407 +Index: geneve-ut-0407 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -5423,7 +5423,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-408 +Index: geneve-ut-0408 ```python event.dataset:google_workspace.admin @@ -5439,7 +5439,7 @@ event.dataset:google_workspace.admin Branch count: 1 Document count: 1 -Index: geneve-ut-409 +Index: geneve-ut-0409 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -5452,7 +5452,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-410 +Index: geneve-ut-0410 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -5464,7 +5464,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-411 +Index: geneve-ut-0411 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5477,7 +5477,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-412 +Index: geneve-ut-0412 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -5489,7 +5489,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-413 +Index: geneve-ut-0413 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -5502,7 +5502,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-414 +Index: geneve-ut-0414 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -5519,7 +5519,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-415 +Index: geneve-ut-0415 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -5533,7 +5533,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-416 +Index: geneve-ut-0416 ```python sequence by source.user.email with maxspan=3m @@ -5557,7 +5557,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-417 +Index: geneve-ut-0417 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -5578,7 +5578,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-418 +Index: geneve-ut-0418 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -5592,7 +5592,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-419 +Index: geneve-ut-0419 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -5604,7 +5604,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-420 +Index: geneve-ut-0420 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -5616,7 +5616,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-421 +Index: geneve-ut-0421 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -5629,7 +5629,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-423 +Index: geneve-ut-0423 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5642,7 +5642,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-425 +Index: geneve-ut-0425 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -5663,7 +5663,7 @@ process.name == "mkdir" and process.parent.executable like ( Branch count: 1 Document count: 1 -Index: geneve-ut-426 +Index: geneve-ut-0426 ```python file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags" @@ -5675,7 +5675,7 @@ file where host.os.type == "linux" and event.type == "creation" and process.name Branch count: 1 Document count: 2 -Index: geneve-ut-435 +Index: geneve-ut-0435 ```python sequence by process.entity_id with maxspan=5m @@ -5692,7 +5692,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 12 Document count: 12 -Index: geneve-ut-436 +Index: geneve-ut-0436 ```python any where @@ -5721,7 +5721,7 @@ any where Branch count: 12 Document count: 12 -Index: geneve-ut-437 +Index: geneve-ut-0437 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5734,7 +5734,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-438 +Index: geneve-ut-0438 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5749,7 +5749,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-439 +Index: geneve-ut-0439 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -5761,7 +5761,7 @@ Index: geneve-ut-439 Branch count: 8 Document count: 8 -Index: geneve-ut-443 +Index: geneve-ut-0443 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5778,7 +5778,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-445 +Index: geneve-ut-0445 ```python sequence with maxspan=1m @@ -5797,7 +5797,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-446 +Index: geneve-ut-0446 ```python sequence by host.id with maxspan=1m @@ -5815,7 +5815,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-447 +Index: geneve-ut-0447 ```python sequence by host.id with maxspan=5s @@ -5834,7 +5834,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-448 +Index: geneve-ut-0448 ```python sequence by host.id with maxspan = 30s @@ -5850,7 +5850,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-449 +Index: geneve-ut-0449 ```python sequence by host.id with maxspan=30s @@ -5866,7 +5866,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-450 +Index: geneve-ut-0450 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5879,7 +5879,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 14 Document count: 14 -Index: geneve-ut-452 +Index: geneve-ut-0452 ```python event.dataset: "aws.cloudtrail" @@ -5897,7 +5897,7 @@ event.dataset: "aws.cloudtrail" Branch count: 1 Document count: 1 -Index: geneve-ut-453 +Index: geneve-ut-0453 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5910,7 +5910,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-454 +Index: geneve-ut-0454 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -5926,7 +5926,7 @@ sequence by process.entity_id Branch count: 3 Document count: 3 -Index: geneve-ut-455 +Index: geneve-ut-0455 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5949,7 +5949,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-456 +Index: geneve-ut-0456 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -5970,7 +5970,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-457 +Index: geneve-ut-0457 ```python process where container.id : "*" and event.type== "start" and @@ -5991,7 +5991,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-459 +Index: geneve-ut-0459 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -6004,7 +6004,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-460 +Index: geneve-ut-0460 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6022,7 +6022,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-461 +Index: geneve-ut-0461 ```python iam where event.action == "modified-user-account" and event.code == "4738" and @@ -6035,7 +6035,7 @@ iam where event.action == "modified-user-account" and event.code == "4738" and Branch count: 2 Document count: 2 -Index: geneve-ut-462 +Index: geneve-ut-0462 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -6049,7 +6049,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-464 +Index: geneve-ut-0464 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -6108,7 +6108,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-465 +Index: geneve-ut-0465 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -6121,7 +6121,7 @@ auditd.data.syscall in ("init_module", "finit_module") Branch count: 2 Document count: 2 -Index: geneve-ut-466 +Index: geneve-ut-0466 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -6134,7 +6134,7 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" Branch count: 24 Document count: 24 -Index: geneve-ut-467 +Index: geneve-ut-0467 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6148,7 +6148,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-468 +Index: geneve-ut-0468 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" and @@ -6164,7 +6164,7 @@ not process.parent.executable like ( Branch count: 60 Document count: 60 -Index: geneve-ut-469 +Index: geneve-ut-0469 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -6179,7 +6179,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 28 Document count: 28 -Index: geneve-ut-470 +Index: geneve-ut-0470 ```python process where host.os.type == "macos" and event.action == "exec" and @@ -6195,7 +6195,7 @@ process where host.os.type == "macos" and event.action == "exec" and Branch count: 1 Document count: 1 -Index: geneve-ut-471 +Index: geneve-ut-0471 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -6207,7 +6207,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-472 +Index: geneve-ut-0472 ```python event.dataset:kubernetes.audit_logs @@ -6222,7 +6222,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-474 +Index: geneve-ut-0474 ```python event.dataset: "kubernetes.audit_logs" @@ -6236,7 +6236,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-475 +Index: geneve-ut-0475 ```python event.dataset : "kubernetes.audit_logs" @@ -6252,7 +6252,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-476 +Index: geneve-ut-0476 ```python event.dataset : "kubernetes.audit_logs" @@ -6269,7 +6269,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-477 +Index: geneve-ut-0477 ```python event.dataset : "kubernetes.audit_logs" @@ -6286,7 +6286,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-478 +Index: geneve-ut-0478 ```python event.dataset : "kubernetes.audit_logs" @@ -6303,7 +6303,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-479 +Index: geneve-ut-0479 ```python event.dataset : "kubernetes.audit_logs" @@ -6336,7 +6336,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-480 +Index: geneve-ut-0480 ```python event.dataset : "kubernetes.audit_logs" @@ -6353,7 +6353,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-481 +Index: geneve-ut-0481 ```python event.dataset : "kubernetes.audit_logs" @@ -6370,7 +6370,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-482 +Index: geneve-ut-0482 ```python event.dataset : "kubernetes.audit_logs" @@ -6387,7 +6387,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-483 +Index: geneve-ut-0483 ```python event.dataset : "kubernetes.audit_logs" @@ -6403,7 +6403,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-484 +Index: geneve-ut-0484 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -6441,7 +6441,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-485 +Index: geneve-ut-0485 ```python any where event.action == "File System" and event.code == "4656" and @@ -6476,7 +6476,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-486 +Index: geneve-ut-0486 ```python api where host.os.type == "windows" and @@ -6549,7 +6549,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-487 +Index: geneve-ut-0487 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -6567,7 +6567,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-488 +Index: geneve-ut-0488 ```python sequence by host.id with maxspan=1m @@ -6583,7 +6583,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-489 +Index: geneve-ut-0489 ```python sequence by host.id with maxspan=1m @@ -6597,7 +6597,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-492 +Index: geneve-ut-0492 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6612,7 +6612,7 @@ process.args != "1" Branch count: 609 Document count: 609 -Index: geneve-ut-493 +Index: geneve-ut-0493 ```python process where host.os.type == "linux" and event.type == "start" and @@ -6674,7 +6674,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 72 Document count: 72 -Index: geneve-ut-494 +Index: geneve-ut-0494 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6688,7 +6688,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 64 Document count: 64 -Index: geneve-ut-495 +Index: geneve-ut-0495 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -6704,7 +6704,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 240 Document count: 240 -Index: geneve-ut-497 +Index: geneve-ut-0497 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6723,7 +6723,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-499 +Index: geneve-ut-0499 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -6741,7 +6741,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 600 Document count: 1200 -Index: geneve-ut-500 +Index: geneve-ut-0500 ```python sequence with maxspan=1m @@ -6766,7 +6766,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-502 +Index: geneve-ut-0502 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -6778,7 +6778,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 64 Document count: 64 -Index: geneve-ut-503 +Index: geneve-ut-0503 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("AccessVBOM", "VbaWarnings") and @@ -6813,7 +6813,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 84 Document count: 168 -Index: geneve-ut-504 +Index: geneve-ut-0504 ```python sequence by host.id with maxspan=15s @@ -6827,7 +6827,7 @@ sequence by host.id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-505 +Index: geneve-ut-0505 ```python ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com @@ -6839,7 +6839,7 @@ ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.c Branch count: 1 Document count: 1 -Index: geneve-ut-506 +Index: geneve-ut-0506 ```python ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com @@ -6851,7 +6851,7 @@ ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmclo Branch count: 2 Document count: 2 -Index: geneve-ut-510 +Index: geneve-ut-0510 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6863,7 +6863,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-511 +Index: geneve-ut-0511 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -6875,7 +6875,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-513 +Index: geneve-ut-0513 ```python configuration where event.dataset == "github.audit" and event.action == "org.remove_member" @@ -6887,7 +6887,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.rem Branch count: 8 Document count: 8 -Index: geneve-ut-516 +Index: geneve-ut-0516 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and @@ -6919,7 +6919,7 @@ file.path : "/etc/update-motd.d/*" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-517 +Index: geneve-ut-0517 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -6931,7 +6931,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-518 +Index: geneve-ut-0518 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -6943,7 +6943,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-519 +Index: geneve-ut-0519 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -6955,7 +6955,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-520 +Index: geneve-ut-0520 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -6967,7 +6967,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-521 +Index: geneve-ut-0521 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -6979,7 +6979,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-522 +Index: geneve-ut-0522 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -6991,7 +6991,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-523 +Index: geneve-ut-0523 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -7003,7 +7003,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-524 +Index: geneve-ut-0524 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -7015,7 +7015,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-525 +Index: geneve-ut-0525 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -7027,7 +7027,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-526 +Index: geneve-ut-0526 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -7039,7 +7039,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-527 +Index: geneve-ut-0527 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -7051,7 +7051,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-528 +Index: geneve-ut-0528 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -7064,7 +7064,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-529 +Index: geneve-ut-0529 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -7083,7 +7083,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-532 +Index: geneve-ut-0532 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -7095,7 +7095,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-533 +Index: geneve-ut-0533 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -7110,7 +7110,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-534 +Index: geneve-ut-0534 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -7124,7 +7124,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-535 +Index: geneve-ut-0535 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -7138,7 +7138,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-536 +Index: geneve-ut-0536 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -7150,7 +7150,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-537 +Index: geneve-ut-0537 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -7162,7 +7162,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-540 +Index: geneve-ut-0540 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7176,7 +7176,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-541 +Index: geneve-ut-0541 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7197,7 +7197,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-542 +Index: geneve-ut-0542 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7211,7 +7211,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-543 +Index: geneve-ut-0543 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7244,7 +7244,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-544 +Index: geneve-ut-0544 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -7269,7 +7269,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-545 +Index: geneve-ut-0545 ```python event.category: "process" and host.os.type:windows and @@ -7293,7 +7293,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-546 +Index: geneve-ut-0546 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7308,7 +7308,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-547 +Index: geneve-ut-0547 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7322,7 +7322,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-548 +Index: geneve-ut-0548 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7336,7 +7336,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-549 +Index: geneve-ut-0549 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7359,7 +7359,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 28 Document count: 28 -Index: geneve-ut-550 +Index: geneve-ut-0550 ```python registry where host.os.type == "windows" and event.type == "change" and process.executable != null and @@ -7409,7 +7409,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. Branch count: 1 Document count: 1 -Index: geneve-ut-551 +Index: geneve-ut-0551 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -7421,7 +7421,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 2 Document count: 2 -Index: geneve-ut-552 +Index: geneve-ut-0552 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7439,7 +7439,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-553 +Index: geneve-ut-0553 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7456,7 +7456,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-555 +Index: geneve-ut-0555 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -7468,7 +7468,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 2 Document count: 2 -Index: geneve-ut-556 +Index: geneve-ut-0556 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7494,7 +7494,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-557 +Index: geneve-ut-0557 ```python event.category:file and host.os.type:linux and event.type:change and @@ -7516,7 +7516,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-558 +Index: geneve-ut-0558 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7538,7 +7538,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 8 Document count: 8 -Index: geneve-ut-560 +Index: geneve-ut-0560 ```python registry where host.os.type == "windows" and event.type == "creation" and @@ -7555,7 +7555,7 @@ registry where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-561 +Index: geneve-ut-0561 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -7569,7 +7569,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 2 Document count: 2 -Index: geneve-ut-562 +Index: geneve-ut-0562 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -7581,7 +7581,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 2 Document count: 2 -Index: geneve-ut-563 +Index: geneve-ut-0563 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7604,7 +7604,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-564 +Index: geneve-ut-0564 ```python process where event.module == "cloud_defend" and event.type== "start" and @@ -7617,7 +7617,7 @@ process where event.module == "cloud_defend" and event.type== "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-565 +Index: geneve-ut-0565 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7636,7 +7636,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-566 +Index: geneve-ut-0566 ```python sequence by process.entity_id with maxspan=30s @@ -7673,7 +7673,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 1 Document count: 2 -Index: geneve-ut-567 +Index: geneve-ut-0567 ```python sequence by process.entity_id with maxspan=10m @@ -7691,7 +7691,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-569 +Index: geneve-ut-0569 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -7703,7 +7703,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-573 +Index: geneve-ut-0573 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -7729,7 +7729,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-574 +Index: geneve-ut-0574 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -7755,7 +7755,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-579 +Index: geneve-ut-0579 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -7779,7 +7779,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 2 Document count: 2 -Index: geneve-ut-581 +Index: geneve-ut-0581 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7793,7 +7793,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 210 Document count: 210 -Index: geneve-ut-582 +Index: geneve-ut-0582 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7812,7 +7812,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-583 +Index: geneve-ut-0583 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -7827,7 +7827,7 @@ not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox- Branch count: 560 Document count: 560 -Index: geneve-ut-584 +Index: geneve-ut-0584 ```python process where container.id: "*" and event.type== "start" @@ -7850,7 +7850,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 10 Document count: 10 -Index: geneve-ut-585 +Index: geneve-ut-0585 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7864,7 +7864,7 @@ process.args : "*l*" and process.args_count >= 4 Branch count: 3 Document count: 3 -Index: geneve-ut-586 +Index: geneve-ut-0586 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7881,7 +7881,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-588 +Index: geneve-ut-0588 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -7904,7 +7904,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 2 -Index: geneve-ut-589 +Index: geneve-ut-0589 ```python sequence by host.id with maxspan=1s @@ -7931,7 +7931,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 16 -Index: geneve-ut-590 +Index: geneve-ut-0590 ```python sequence by host.id with maxspan=10s @@ -7948,7 +7948,7 @@ sequence by host.id with maxspan=10s Branch count: 1 Document count: 1 -Index: geneve-ut-592 +Index: geneve-ut-0592 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -7967,7 +7967,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-593 +Index: geneve-ut-0593 ```python sequence by process.entity_id @@ -7987,7 +7987,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-594 +Index: geneve-ut-0594 ```python sequence by process.entity_id @@ -8006,7 +8006,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-595 +Index: geneve-ut-0595 ```python sequence by host.id with maxspan=1m @@ -8026,7 +8026,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-596 +Index: geneve-ut-0596 ```python sequence by process.entity_id @@ -8051,7 +8051,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-597 +Index: geneve-ut-0597 ```python sequence by process.entity_id @@ -8073,7 +8073,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-598 +Index: geneve-ut-0598 ```python network where host.os.type == "linux" and event.type == "start" and @@ -8094,7 +8094,7 @@ event.action in ("connection_attempted", "ipv4_connection_attempt_event") and pr Branch count: 2 Document count: 4 -Index: geneve-ut-599 +Index: geneve-ut-0599 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -8125,7 +8125,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-600 +Index: geneve-ut-0600 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8155,7 +8155,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-603 +Index: geneve-ut-0603 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and @@ -8172,7 +8172,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 3 Document count: 3 -Index: geneve-ut-604 +Index: geneve-ut-0604 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8185,7 +8185,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-605 +Index: geneve-ut-0605 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -8197,7 +8197,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-606 +Index: geneve-ut-0606 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -8209,7 +8209,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 1 Document count: 1 -Index: geneve-ut-607 +Index: geneve-ut-0607 ```python event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* @@ -8221,7 +8221,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* Branch count: 1 Document count: 1 -Index: geneve-ut-608 +Index: geneve-ut-0608 ```python event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" @@ -8233,7 +8233,7 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and Branch count: 1 Document count: 1 -Index: geneve-ut-609 +Index: geneve-ut-0609 ```python configuration where event.dataset == "github.audit" and event.action == "org.add_member" @@ -8245,7 +8245,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.add Branch count: 6 Document count: 6 -Index: geneve-ut-610 +Index: geneve-ut-0610 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -8259,7 +8259,7 @@ event.outcome:success Branch count: 4 Document count: 4 -Index: geneve-ut-611 +Index: geneve-ut-0611 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8272,7 +8272,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-613 +Index: geneve-ut-0613 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -8284,7 +8284,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-615 +Index: geneve-ut-0615 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -8298,7 +8298,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-616 +Index: geneve-ut-0616 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -8310,7 +8310,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-617 +Index: geneve-ut-0617 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -8323,7 +8323,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-619 +Index: geneve-ut-0619 ```python event.dataset:okta.system and event.category:authentication and @@ -8336,7 +8336,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 10 Document count: 10 -Index: geneve-ut-620 +Index: geneve-ut-0620 ```python event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and @@ -8359,7 +8359,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/ Branch count: 2 Document count: 2 -Index: geneve-ut-621 +Index: geneve-ut-0621 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -8371,7 +8371,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-622 +Index: geneve-ut-0622 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -8383,7 +8383,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-624 +Index: geneve-ut-0624 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -8395,7 +8395,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 6 Document count: 6 -Index: geneve-ut-625 +Index: geneve-ut-0625 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8412,7 +8412,7 @@ not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/op Branch count: 36 Document count: 72 -Index: geneve-ut-626 +Index: geneve-ut-0626 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -8427,7 +8427,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 5 Document count: 5 -Index: geneve-ut-627 +Index: geneve-ut-0627 ```python registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and @@ -8446,7 +8446,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi Branch count: 2 Document count: 2 -Index: geneve-ut-629 +Index: geneve-ut-0629 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8460,7 +8460,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-630 +Index: geneve-ut-0630 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8472,7 +8472,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-631 +Index: geneve-ut-0631 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -8484,7 +8484,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-632 +Index: geneve-ut-0632 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8502,7 +8502,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-633 +Index: geneve-ut-0633 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -8515,7 +8515,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-634 +Index: geneve-ut-0634 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -8530,7 +8530,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 11 Document count: 11 -Index: geneve-ut-635 +Index: geneve-ut-0635 ```python process where host.os.type == "macos" and event.type : "start" and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and @@ -8543,7 +8543,7 @@ process where host.os.type == "macos" and event.type : "start" and process.name Branch count: 32 Document count: 32 -Index: geneve-ut-637 +Index: geneve-ut-0637 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -8572,7 +8572,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-638 +Index: geneve-ut-0638 ```python process where host.os.type == "macos" and event.type == "start" and @@ -8592,7 +8592,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-639 +Index: geneve-ut-0639 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8611,7 +8611,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-640 +Index: geneve-ut-0640 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8624,7 +8624,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-641 +Index: geneve-ut-0641 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8640,7 +8640,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-642 +Index: geneve-ut-0642 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -8666,7 +8666,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-643 +Index: geneve-ut-0643 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8685,7 +8685,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-644 +Index: geneve-ut-0644 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8713,7 +8713,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-645 +Index: geneve-ut-0645 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8728,7 +8728,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-646 +Index: geneve-ut-0646 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -8791,7 +8791,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 14 Document count: 14 -Index: geneve-ut-647 +Index: geneve-ut-0647 ```python any where host.os.type == "windows" and @@ -8816,7 +8816,7 @@ any where host.os.type == "windows" and Branch count: 3 Document count: 3 -Index: geneve-ut-649 +Index: geneve-ut-0649 ```python registry where host.os.type == "windows" and registry.path : ( @@ -8832,7 +8832,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-650 +Index: geneve-ut-0650 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -8850,7 +8850,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-652 +Index: geneve-ut-0652 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -8862,7 +8862,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 16 Document count: 16 -Index: geneve-ut-657 +Index: geneve-ut-0657 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -8879,7 +8879,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-659 +Index: geneve-ut-0659 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -8894,7 +8894,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 16 -Index: geneve-ut-661 +Index: geneve-ut-0661 ```python sequence by host.id, process.parent.entity_id with maxspan=5m @@ -8911,7 +8911,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-662 +Index: geneve-ut-0662 ```python process where host.os.type == "linux" and event.type == "start" and @@ -8931,7 +8931,7 @@ event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "p Branch count: 2 Document count: 6 -Index: geneve-ut-663 +Index: geneve-ut-0663 ```python sequence by host.id, user.name with maxspan = 5s @@ -8960,7 +8960,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-664 +Index: geneve-ut-0664 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8973,7 +8973,7 @@ event.type == "change" and file.name : "notify_on_release" Branch count: 1 Document count: 1 -Index: geneve-ut-665 +Index: geneve-ut-0665 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -8986,7 +8986,7 @@ event.type == "change" and file.name : "release_agent" Branch count: 63 Document count: 63 -Index: geneve-ut-666 +Index: geneve-ut-0666 ```python process where event.type in ("start", "process_started", "info") and @@ -9010,7 +9010,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 12 Document count: 12 -Index: geneve-ut-667 +Index: geneve-ut-0667 ```python any where event.action : ("Directory Service Access", "object-operation-performed") and @@ -9045,7 +9045,7 @@ any where event.action : ("Directory Service Access", "object-operation-performe Branch count: 1 Document count: 1 -Index: geneve-ut-668 +Index: geneve-ut-0668 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9063,7 +9063,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-669 +Index: geneve-ut-0669 ```python process where host.os.type == "windows" and event.code == "10" and @@ -9086,7 +9086,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-670 +Index: geneve-ut-0670 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -9140,7 +9140,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-671 +Index: geneve-ut-0671 ```python sequence by process.entity_id with maxspan=1m @@ -9158,7 +9158,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-672 +Index: geneve-ut-0672 ```python sequence by process.entity_id @@ -9173,7 +9173,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-674 +Index: geneve-ut-0674 ```python any where processor.name == "transaction" and @@ -9187,7 +9187,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-676 +Index: geneve-ut-0676 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9208,7 +9208,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-677 +Index: geneve-ut-0677 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9229,7 +9229,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-683 +Index: geneve-ut-0683 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -9254,7 +9254,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-684 +Index: geneve-ut-0684 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9267,7 +9267,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-685 +Index: geneve-ut-0685 ```python file where host.os.type == "linux" and event.type != "deletion" and file.path == "/etc/doas.conf" @@ -9279,7 +9279,7 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path == Branch count: 2 Document count: 2 -Index: geneve-ut-686 +Index: geneve-ut-0686 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9292,7 +9292,7 @@ process.parent.name == "proot" Branch count: 12 Document count: 12 -Index: geneve-ut-687 +Index: geneve-ut-0687 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9310,7 +9310,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-688 +Index: geneve-ut-0688 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9323,7 +9323,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 4 -Index: geneve-ut-689 +Index: geneve-ut-0689 ```python sequence by process.entity_id with maxspan=3m @@ -9347,7 +9347,7 @@ sequence by process.entity_id with maxspan=3m Branch count: 42 Document count: 42 -Index: geneve-ut-690 +Index: geneve-ut-0690 ```python process where event.type == "start" and host.os.type == "windows" and @@ -9363,7 +9363,7 @@ process where event.type == "start" and host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-691 +Index: geneve-ut-0691 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9388,7 +9388,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-693 +Index: geneve-ut-0693 ```python process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and @@ -9401,7 +9401,7 @@ process.parent.args == "/etc/rc.local" and process.parent.args == "start" Branch count: 1 Document count: 4 -Index: geneve-ut-694 +Index: geneve-ut-0694 ```python sequence by host.id, user.id with maxspan=1s @@ -9423,7 +9423,7 @@ sequence by host.id, user.id with maxspan=1s Branch count: 204 Document count: 204 -Index: geneve-ut-697 +Index: geneve-ut-0697 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9441,7 +9441,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-698 +Index: geneve-ut-0698 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9454,7 +9454,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-699 +Index: geneve-ut-0699 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9467,7 +9467,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-701 +Index: geneve-ut-0701 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9480,7 +9480,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-702 +Index: geneve-ut-0702 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9495,7 +9495,7 @@ not process.parent.command_line like "/opt/cloudlinux/*" Branch count: 60 Document count: 120 -Index: geneve-ut-705 +Index: geneve-ut-0705 ```python sequence by host.id with maxspan=1m @@ -9531,7 +9531,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-706 +Index: geneve-ut-0706 ```python event.category:process and host.os.type:macos and event.type:start and @@ -9544,7 +9544,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-707 +Index: geneve-ut-0707 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -9562,7 +9562,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-708 +Index: geneve-ut-0708 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -9576,7 +9576,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-710 +Index: geneve-ut-0710 ```python sequence by host.id with maxspan=30s @@ -9595,7 +9595,7 @@ sequence by host.id with maxspan=30s Branch count: 4 Document count: 4 -Index: geneve-ut-711 +Index: geneve-ut-0711 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9608,7 +9608,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 3 Document count: 6 -Index: geneve-ut-712 +Index: geneve-ut-0712 ```python sequence by host.id, process.parent.name with maxspan=1m @@ -9624,7 +9624,7 @@ sequence by host.id, process.parent.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-713 +Index: geneve-ut-0713 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9637,7 +9637,7 @@ process.name == "unshadow" and process.args_count >= 3 Branch count: 168 Document count: 168 -Index: geneve-ut-714 +Index: geneve-ut-0714 ```python process where host.os.type == "linux" and event.type == "start" and @@ -9667,7 +9667,7 @@ process.name in~ ( Branch count: 1 Document count: 10 -Index: geneve-ut-715 +Index: geneve-ut-0715 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -9685,7 +9685,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 458 Document count: 458 -Index: geneve-ut-717 +Index: geneve-ut-0717 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9713,7 +9713,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-718 +Index: geneve-ut-0718 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9732,7 +9732,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-720 +Index: geneve-ut-0720 ```python process where host.os.type == "windows" and @@ -9870,7 +9870,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-721 +Index: geneve-ut-0721 ```python process where host.os.type == "windows" and @@ -9941,7 +9941,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-724 +Index: geneve-ut-0724 ```python library where host.os.type == "windows" and event.action == "load" and @@ -9958,7 +9958,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 14 Document count: 14 -Index: geneve-ut-725 +Index: geneve-ut-0725 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9984,7 +9984,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-727 +Index: geneve-ut-0727 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -9996,7 +9996,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-728 +Index: geneve-ut-0728 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10037,7 +10037,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-733 +Index: geneve-ut-0733 ```python network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( @@ -10051,7 +10051,7 @@ network where process.name : ("http", "https") and destination.port not in (80, Branch count: 4 Document count: 8 -Index: geneve-ut-734 +Index: geneve-ut-0734 ```python sequence by process.entity_id with maxspan=1m @@ -10079,7 +10079,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-736 +Index: geneve-ut-0736 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -10120,7 +10120,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 2 Document count: 2 -Index: geneve-ut-737 +Index: geneve-ut-0737 ```python network where host.os.type == "windows" and @@ -10146,7 +10146,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-739 +Index: geneve-ut-0739 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10159,7 +10159,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 85 Document count: 85 -Index: geneve-ut-740 +Index: geneve-ut-0740 ```python file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and @@ -10229,7 +10229,7 @@ file.path : ( Branch count: 1 Document count: 1 -Index: geneve-ut-741 +Index: geneve-ut-0741 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10243,7 +10243,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-742 +Index: geneve-ut-0742 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -10256,7 +10256,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-743 +Index: geneve-ut-0743 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10280,7 +10280,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 4 -Index: geneve-ut-744 +Index: geneve-ut-0744 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10300,7 +10300,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 45 Document count: 45 -Index: geneve-ut-745 +Index: geneve-ut-0745 ```python host.os.type:windows and event.category:process and @@ -10337,7 +10337,7 @@ host.os.type:windows and event.category:process and Branch count: 696 Document count: 696 -Index: geneve-ut-746 +Index: geneve-ut-0746 ```python event.category:process and host.os.type:windows and @@ -10530,7 +10530,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-749 +Index: geneve-ut-0749 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -10546,7 +10546,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-750 +Index: geneve-ut-0750 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -10560,7 +10560,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-751 +Index: geneve-ut-0751 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10577,7 +10577,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-752 +Index: geneve-ut-0752 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -10591,7 +10591,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-753 +Index: geneve-ut-0753 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -10607,7 +10607,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-757 +Index: geneve-ut-0757 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -10623,7 +10623,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-758 +Index: geneve-ut-0758 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -10635,7 +10635,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-759 +Index: geneve-ut-0759 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -10651,7 +10651,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-760 +Index: geneve-ut-0760 ```python sequence by host.id with maxspan=1m @@ -10671,7 +10671,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-762 +Index: geneve-ut-0762 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -10683,7 +10683,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-764 +Index: geneve-ut-0764 ```python iam where event.action == "renamed-user-account" and @@ -10697,7 +10697,7 @@ iam where event.action == "renamed-user-account" and Branch count: 18 Document count: 18 -Index: geneve-ut-765 +Index: geneve-ut-0765 ```python process where host.os.type == "windows" and event.action == "start" and @@ -10720,7 +10720,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-767 +Index: geneve-ut-0767 ```python sequence by host.id, process.entity_id with maxspan=3s @@ -10741,7 +10741,7 @@ sequence by host.id, process.entity_id with maxspan=3s Branch count: 1 Document count: 1 -Index: geneve-ut-769 +Index: geneve-ut-0769 ```python process where host.os.type == "linux" and event.type == "start" and @@ -10754,7 +10754,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-775 +Index: geneve-ut-0775 ```python file where host.os.type == "windows" and @@ -10769,7 +10769,7 @@ file where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-776 +Index: geneve-ut-0776 ```python /* Identifies the modification of RDP Shadow registry or @@ -10797,7 +10797,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-777 +Index: geneve-ut-0777 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10812,7 +10812,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-778 +Index: geneve-ut-0778 ```python sequence with maxspan=1m @@ -10854,7 +10854,7 @@ sequence with maxspan=1m Branch count: 864 Document count: 1728 -Index: geneve-ut-779 +Index: geneve-ut-0779 ```python sequence by host.id with maxspan=5s @@ -10874,7 +10874,7 @@ sequence by host.id with maxspan=5s Branch count: 80 Document count: 80 -Index: geneve-ut-780 +Index: geneve-ut-0780 ```python process where event.type in ("start", "process_started") and @@ -10895,7 +10895,7 @@ process where event.type in ("start", "process_started") and Branch count: 32 Document count: 32 -Index: geneve-ut-781 +Index: geneve-ut-0781 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10909,7 +10909,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 432 Document count: 864 -Index: geneve-ut-782 +Index: geneve-ut-0782 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -10929,7 +10929,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 288 Document count: 576 -Index: geneve-ut-783 +Index: geneve-ut-0783 ```python sequence by host.id with maxspan=5s @@ -10958,7 +10958,7 @@ sequence by host.id with maxspan=5s Branch count: 40 Document count: 40 -Index: geneve-ut-787 +Index: geneve-ut-0787 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -10974,7 +10974,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-789 +Index: geneve-ut-0789 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -10986,7 +10986,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 2 Document count: 2 -Index: geneve-ut-790 +Index: geneve-ut-0790 ```python event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and @@ -11000,7 +11000,7 @@ event.action:("Directory Service Changes" or "directory-service-object-modified" Branch count: 32 Document count: 96 -Index: geneve-ut-792 +Index: geneve-ut-0792 ```python /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ @@ -11028,7 +11028,7 @@ sequence by host.id with maxspan=1m Branch count: 72 Document count: 144 -Index: geneve-ut-793 +Index: geneve-ut-0793 ```python sequence by host.id with maxspan=1s @@ -11050,7 +11050,7 @@ sequence by host.id with maxspan=1s Branch count: 8 Document count: 8 -Index: geneve-ut-797 +Index: geneve-ut-0797 ```python file where host.os.type == "linux" and event.action in ("creation", "rename") and @@ -11079,7 +11079,7 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( Branch count: 4 Document count: 4 -Index: geneve-ut-798 +Index: geneve-ut-0798 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11092,7 +11092,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-799 +Index: geneve-ut-0799 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -11108,7 +11108,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 1 Document count: 1 -Index: geneve-ut-800 +Index: geneve-ut-0800 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -11122,7 +11122,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-801 +Index: geneve-ut-0801 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -11152,7 +11152,7 @@ file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-802 +Index: geneve-ut-0802 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11165,7 +11165,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-803 +Index: geneve-ut-0803 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -11181,7 +11181,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-804 +Index: geneve-ut-0804 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11198,7 +11198,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-805 +Index: geneve-ut-0805 ```python any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and @@ -11211,7 +11211,7 @@ any where host.os.type == "windows" and event.action in ("Directory Service Chan Branch count: 4 Document count: 4 -Index: geneve-ut-806 +Index: geneve-ut-0806 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and @@ -11228,7 +11228,7 @@ process.executable : ( Branch count: 8 Document count: 16 -Index: geneve-ut-808 +Index: geneve-ut-0808 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -11244,7 +11244,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-812 +Index: geneve-ut-0812 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11261,7 +11261,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 16 -Index: geneve-ut-813 +Index: geneve-ut-0813 ```python sequence by okta.actor.id with maxspan=10m @@ -11281,7 +11281,7 @@ sequence by okta.actor.id with maxspan=10m Branch count: 72 Document count: 72 -Index: geneve-ut-814 +Index: geneve-ut-0814 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11297,7 +11297,7 @@ process.parent.name in ("screen", "tmux") and process.name like ( Branch count: 21 Document count: 21 -Index: geneve-ut-815 +Index: geneve-ut-0815 ```python event.category:process and host.os.type:windows and @@ -11322,7 +11322,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-817 +Index: geneve-ut-0817 ```python event.category:process and host.os.type:windows and @@ -11341,7 +11341,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-819 +Index: geneve-ut-0819 ```python event.category:process and host.os.type:windows and @@ -11364,7 +11364,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-820 +Index: geneve-ut-0820 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -11376,7 +11376,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-821 +Index: geneve-ut-0821 ```python event.category:process and host.os.type:windows and @@ -11400,7 +11400,7 @@ event.category:process and host.os.type:windows and Branch count: 6 Document count: 6 -Index: geneve-ut-822 +Index: geneve-ut-0822 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11417,7 +11417,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 80 Document count: 80 -Index: geneve-ut-839 +Index: geneve-ut-0839 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "lp" and @@ -11437,7 +11437,7 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and Branch count: 4 Document count: 8 -Index: geneve-ut-842 +Index: geneve-ut-0842 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -11470,7 +11470,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 2 Document count: 4 -Index: geneve-ut-843 +Index: geneve-ut-0843 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=1m @@ -11487,7 +11487,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=1m Branch count: 4 Document count: 4 -Index: geneve-ut-844 +Index: geneve-ut-0844 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11501,7 +11501,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-845 +Index: geneve-ut-0845 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -11515,7 +11515,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-846 +Index: geneve-ut-0846 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -11528,7 +11528,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 426 Document count: 426 -Index: geneve-ut-847 +Index: geneve-ut-0847 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -11571,7 +11571,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 20 Document count: 20 -Index: geneve-ut-848 +Index: geneve-ut-0848 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -11597,7 +11597,7 @@ registry.path : ( Branch count: 1 Document count: 5 -Index: geneve-ut-849 +Index: geneve-ut-0849 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -11614,7 +11614,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-852 +Index: geneve-ut-0852 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11628,7 +11628,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-853 +Index: geneve-ut-0853 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11642,7 +11642,7 @@ user.id != "0" Branch count: 2 Document count: 2 -Index: geneve-ut-854 +Index: geneve-ut-0854 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11659,7 +11659,7 @@ process.name == "setcap" and not ( Branch count: 96 Document count: 96 -Index: geneve-ut-856 +Index: geneve-ut-0856 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -11734,7 +11734,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-857 +Index: geneve-ut-0857 ```python sequence by winlog.computer_name with maxspan=1m @@ -11755,7 +11755,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-858 +Index: geneve-ut-0858 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11774,7 +11774,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-859 +Index: geneve-ut-0859 ```python process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( @@ -11789,7 +11789,7 @@ not process.parent.name in ("amazon-ssm-agent", "snap") Branch count: 66 Document count: 66 -Index: geneve-ut-860 +Index: geneve-ut-0860 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11842,7 +11842,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-861 +Index: geneve-ut-0861 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11854,7 +11854,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-862 +Index: geneve-ut-0862 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -11866,7 +11866,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-863 +Index: geneve-ut-0863 ```python process where host.os.type == "windows" and process.name: "MSBuild.exe" and @@ -11879,7 +11879,7 @@ process where host.os.type == "windows" and process.name: "MSBuild.exe" and Branch count: 114 Document count: 114 -Index: geneve-ut-864 +Index: geneve-ut-0864 ```python process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and @@ -11922,7 +11922,7 @@ not ( Branch count: 72 Document count: 144 -Index: geneve-ut-866 +Index: geneve-ut-0866 ```python sequence by host.id with maxspan=5s @@ -11970,7 +11970,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 4 -Index: geneve-ut-867 +Index: geneve-ut-0867 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -11983,7 +11983,7 @@ process.name : "* " Branch count: 4 Document count: 4 -Index: geneve-ut-868 +Index: geneve-ut-0868 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12020,7 +12020,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-869 +Index: geneve-ut-0869 ```python process where event.action == "exec" and host.os.type == "macos" and @@ -12040,7 +12040,7 @@ process where event.action == "exec" and host.os.type == "macos" and Branch count: 4 Document count: 4 -Index: geneve-ut-870 +Index: geneve-ut-0870 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -12053,7 +12053,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-871 +Index: geneve-ut-0871 ```python sequence by process.entity_id @@ -12077,7 +12077,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-872 +Index: geneve-ut-0872 ```python file where event.action == "extended_attributes_delete" and host.os.type == "macos" and process.executable != null and @@ -12096,7 +12096,7 @@ file.path : "/private/var/folders/*" Branch count: 6 Document count: 6 -Index: geneve-ut-875 +Index: geneve-ut-0875 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12120,7 +12120,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 4 Document count: 8 -Index: geneve-ut-876 +Index: geneve-ut-0876 ```python sequence by process.entity_id with maxspan=1m @@ -12135,7 +12135,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-880 +Index: geneve-ut-0880 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -12147,7 +12147,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-881 +Index: geneve-ut-0881 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -12159,7 +12159,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 3 Document count: 3 -Index: geneve-ut-887 +Index: geneve-ut-0887 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12176,7 +12176,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 6 Document count: 6 -Index: geneve-ut-888 +Index: geneve-ut-0888 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12206,7 +12206,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 18 Document count: 18 -Index: geneve-ut-890 +Index: geneve-ut-0890 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12221,7 +12221,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-891 +Index: geneve-ut-0891 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12240,7 +12240,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 13 Document count: 13 -Index: geneve-ut-893 +Index: geneve-ut-0893 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12257,7 +12257,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-894 +Index: geneve-ut-0894 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -12280,7 +12280,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-895 +Index: geneve-ut-0895 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12294,7 +12294,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-896 +Index: geneve-ut-0896 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12308,7 +12308,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-897 +Index: geneve-ut-0897 ```python sequence by process.entity_id with maxspan=30s @@ -12332,7 +12332,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-898 +Index: geneve-ut-0898 ```python sequence by host.id, process.entity_id @@ -12348,7 +12348,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-899 +Index: geneve-ut-0899 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12363,7 +12363,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-900 +Index: geneve-ut-0900 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -12383,7 +12383,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 1 Document count: 1 -Index: geneve-ut-901 +Index: geneve-ut-0901 ```python iam where event.action == "scheduled-task-created" and @@ -12396,7 +12396,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 2 -Index: geneve-ut-903 +Index: geneve-ut-0903 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -12438,7 +12438,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-904 +Index: geneve-ut-0904 ```python sequence with maxspan=1m @@ -12461,7 +12461,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-905 +Index: geneve-ut-0905 ```python sequence with maxspan=1s @@ -12509,7 +12509,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-906 +Index: geneve-ut-0906 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12522,7 +12522,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-908 +Index: geneve-ut-0908 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12542,7 +12542,7 @@ process.name in ("update-ca-trust", "update-ca-certificates") and not ( Branch count: 2 Document count: 4 -Index: geneve-ut-909 +Index: geneve-ut-0909 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=30s @@ -12559,7 +12559,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=30s Branch count: 48 Document count: 48 -Index: geneve-ut-910 +Index: geneve-ut-0910 ```python (event.dataset: (network_traffic.http or network_traffic.tls) or @@ -12606,7 +12606,7 @@ Index: geneve-ut-910 Branch count: 1 Document count: 1 -Index: geneve-ut-911 +Index: geneve-ut-0911 ```python event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com @@ -12619,7 +12619,7 @@ event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com Branch count: 4 Document count: 4 -Index: geneve-ut-912 +Index: geneve-ut-0912 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") @@ -12632,7 +12632,7 @@ and file.path : "/etc/selinux/config" Branch count: 32 Document count: 32 -Index: geneve-ut-913 +Index: geneve-ut-0913 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and @@ -12653,7 +12653,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 4 Document count: 4 -Index: geneve-ut-916 +Index: geneve-ut-0916 ```python (event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 @@ -12665,7 +12665,7 @@ Index: geneve-ut-916 Branch count: 6 Document count: 6 -Index: geneve-ut-918 +Index: geneve-ut-0918 ```python file where container.id:"*" and @@ -12678,7 +12678,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-919 +Index: geneve-ut-0919 ```python process where container.id: "*" and event.type == "start" and @@ -12699,7 +12699,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-920 +Index: geneve-ut-0920 ```python file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and @@ -12713,7 +12713,7 @@ not file.name : "known_hosts.*" Branch count: 6 Document count: 6 -Index: geneve-ut-921 +Index: geneve-ut-0921 ```python process where container.id: "*" and event.type== "start" and @@ -12727,7 +12727,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 2 Document count: 2 -Index: geneve-ut-922 +Index: geneve-ut-0922 ```python file where host.os.type == "linux" and event.type == "deletion" and file.path : "/etc/ssl/certs/*" and @@ -12740,7 +12740,7 @@ file.extension in ("pem", "crt") and not process.name in ("dockerd", "pacman") Branch count: 36 Document count: 36 -Index: geneve-ut-925 +Index: geneve-ut-0925 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12758,7 +12758,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-927 +Index: geneve-ut-0927 ```python sequence by host.id with maxspan = 30s @@ -12779,7 +12779,7 @@ sequence by host.id with maxspan = 30s Branch count: 6 Document count: 6 -Index: geneve-ut-929 +Index: geneve-ut-0929 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -12796,7 +12796,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 9 Document count: 9 -Index: geneve-ut-930 +Index: geneve-ut-0930 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12811,7 +12811,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 27 Document count: 27 -Index: geneve-ut-931 +Index: geneve-ut-0931 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -12852,7 +12852,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-933 +Index: geneve-ut-0933 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -12886,7 +12886,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-934 +Index: geneve-ut-0934 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12900,7 +12900,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 112 Document count: 112 -Index: geneve-ut-935 +Index: geneve-ut-0935 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -12920,7 +12920,7 @@ process.args like ( Branch count: 2 Document count: 2 -Index: geneve-ut-936 +Index: geneve-ut-0936 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12934,7 +12934,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 116 Document count: 116 -Index: geneve-ut-937 +Index: geneve-ut-0937 ```python process where event.type == "start" and @@ -12995,7 +12995,7 @@ process.name : "grep" and user.id != "0" and Branch count: 270 Document count: 270 -Index: geneve-ut-940 +Index: geneve-ut-0940 ```python process where container.id: "*" and event.type== "start" and @@ -13038,7 +13038,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-941 +Index: geneve-ut-0941 ```python process where container.id: "*" and event.type== "start" and @@ -13062,7 +13062,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-942 +Index: geneve-ut-0942 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -13075,7 +13075,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 6 Document count: 6 -Index: geneve-ut-943 +Index: geneve-ut-0943 ```python file where host.os.type == "windows" and @@ -13096,7 +13096,7 @@ file where host.os.type == "windows" and Branch count: 16 Document count: 32 -Index: geneve-ut-944 +Index: geneve-ut-0944 ```python sequence by process.entity_id with maxspan = 1m @@ -13113,7 +13113,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-945 +Index: geneve-ut-0945 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -13133,7 +13133,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-946 +Index: geneve-ut-0946 ```python sequence by winlog.computer_name with maxspan=5m @@ -13157,7 +13157,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 10 Document count: 10 -Index: geneve-ut-947 +Index: geneve-ut-0947 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13172,7 +13172,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-948 +Index: geneve-ut-0948 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13193,7 +13193,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 2 Document count: 2 -Index: geneve-ut-949 +Index: geneve-ut-0949 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13216,7 +13216,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-950 +Index: geneve-ut-0950 ```python process where event.type == "start" and process.name : "sc.exe" and @@ -13229,7 +13229,7 @@ process where event.type == "start" and process.name : "sc.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-951 +Index: geneve-ut-0951 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -13245,7 +13245,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not ( Branch count: 1 Document count: 1 -Index: geneve-ut-952 +Index: geneve-ut-0952 ```python file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and @@ -13258,7 +13258,7 @@ file.path == "/etc/shadow" and file.Ext.original.path != null Branch count: 1 Document count: 1 -Index: geneve-ut-953 +Index: geneve-ut-0953 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -13270,7 +13270,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 264 Document count: 264 -Index: geneve-ut-955 +Index: geneve-ut-0955 ```python file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( @@ -13318,7 +13318,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an Branch count: 72 Document count: 144 -Index: geneve-ut-956 +Index: geneve-ut-0956 ```python sequence by host.id with maxspan=5s @@ -13332,7 +13332,7 @@ sequence by host.id with maxspan=5s Branch count: 162 Document count: 162 -Index: geneve-ut-957 +Index: geneve-ut-0957 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -13354,7 +13354,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-958 +Index: geneve-ut-0958 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13373,7 +13373,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-959 +Index: geneve-ut-0959 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13387,7 +13387,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 42 Document count: 42 -Index: geneve-ut-960 +Index: geneve-ut-0960 ```python registry where host.os.type == "windows" and event.type == "change" and registry.value : "Start" and @@ -13414,7 +13414,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry Branch count: 12 Document count: 24 -Index: geneve-ut-974 +Index: geneve-ut-0974 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -13439,7 +13439,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-975 +Index: geneve-ut-0975 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -13472,7 +13472,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-978 +Index: geneve-ut-0978 ```python beacon_stats.is_beaconing: true and @@ -13490,7 +13490,7 @@ not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or " Branch count: 1 Document count: 1 -Index: geneve-ut-979 +Index: geneve-ut-0979 ```python beacon_stats.beaconing_score: 3 @@ -13502,7 +13502,7 @@ beacon_stats.beaconing_score: 3 Branch count: 2 Document count: 6 -Index: geneve-ut-980 +Index: geneve-ut-0980 ```python sequence by user.name with maxspan=12h @@ -13517,7 +13517,7 @@ sequence by user.name with maxspan=12h Branch count: 4 Document count: 4 -Index: geneve-ut-981 +Index: geneve-ut-0981 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -13542,7 +13542,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-983 +Index: geneve-ut-0983 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13557,7 +13557,7 @@ not process.args == "dpkg" Branch count: 16 Document count: 16 -Index: geneve-ut-986 +Index: geneve-ut-0986 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13571,7 +13571,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-987 +Index: geneve-ut-0987 ```python event.category:process and host.os.type:windows and @@ -13602,7 +13602,7 @@ event.category:process and host.os.type:windows and Branch count: 16 Document count: 16 -Index: geneve-ut-988 +Index: geneve-ut-0988 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -13617,7 +13617,7 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en Branch count: 152 Document count: 304 -Index: geneve-ut-989 +Index: geneve-ut-0989 ```python sequence by host.id with maxspan=5s @@ -13639,7 +13639,7 @@ sequence by host.id with maxspan=5s Branch count: 8 Document count: 16 -Index: geneve-ut-990 +Index: geneve-ut-0990 ```python sequence by host.id with maxspan=5s @@ -13666,7 +13666,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-992 +Index: geneve-ut-0992 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -13678,7 +13678,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 4 Document count: 4 -Index: geneve-ut-993 +Index: geneve-ut-0993 ```python file where host.os.type == "windows" and event.type != "deletion" and file.path != null and @@ -13710,7 +13710,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path Branch count: 2 Document count: 4 -Index: geneve-ut-994 +Index: geneve-ut-0994 ```python sequence by host.id with maxspan=30s @@ -13724,7 +13724,7 @@ sequence by host.id with maxspan=30s Branch count: 182 Document count: 182 -Index: geneve-ut-995 +Index: geneve-ut-0995 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -13756,7 +13756,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-996 +Index: geneve-ut-0996 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -13780,7 +13780,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-997 +Index: geneve-ut-0997 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13794,7 +13794,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-998 +Index: geneve-ut-0998 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -13817,7 +13817,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-999 +Index: geneve-ut-0999 ```python process where host.os.type == "windows" and event.type == "start" and diff --git a/tests/test_emitter_queries.py b/tests/test_emitter_queries.py index 70c3b34a..fbb70558 100644 --- a/tests/test_emitter_queries.py +++ b/tests/test_emitter_queries.py @@ -915,7 +915,7 @@ def parse_from_queries(self, queries): asts = [] for i, query in enumerate(queries): guess = guess_from_query(query) - index_name = "{:s}-{:03d}".format(self.index_template, i) + index_name = "{:s}-{:04d}".format(self.index_template, i) rules.append( { "rule_id": "test_{:03d}".format(i), diff --git a/tests/test_emitter_rules.py b/tests/test_emitter_rules.py index 3a9f714d..eb807794 100644 --- a/tests/test_emitter_rules.py +++ b/tests/test_emitter_rules.py @@ -173,7 +173,7 @@ def parse_from_collection(self, collection): asts.append(ast_from_rule(rule)) except Exception: continue - index_name = "{:s}-{:03d}".format(self.index_template, i) + index_name = "{:s}-{:04d}".format(self.index_template, i) rules.append( { "rule_id": rule.rule_id,