[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151)

* Updated ESQL rules based on validation results * Patch bump * Updated regex patterns * added missing azure fields to non-ecs-schema.json; adjusted okta query logic to use LIKE instead of RLIKE * fixed incorrect field in non-ecs-schema.json; changed logs-azure.signinlogs* sightings to logs-azure.signinlogs-* * Add and * Additional non-ecs fields * Add EOF * Add kibana.alert.rule.name * removed azure.platforlogs.identity.claim.objectid; updated query for 'c07f7898-5dc3-11f0-9f27-f661ea17fbcd' * Field removed from query removing from keep * Patch Bump --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2025-09-30 00:36:29 -04:00
parent 42be8bc8ba
commit 7410ec7db9
31 changed files with 71 additions and 50 deletions
@@ -144,7 +144,8 @@
    "signal.rule.threat.tactic.name": "keyword",
    "kibana.alert.rule.threat.tactic.id": "keyword",
    "kibana.alert.workflow_status": "keyword",
-    "kibana.alert.rule.rule_id": "keyword"
+    "kibana.alert.rule.rule_id": "keyword",
+    "kibana.alert.rule.name": "keyword"
  },
  "logs-google_workspace*": {
    "gsuite.admin": "keyword",
@@ -188,7 +189,12 @@
    "azure.auditlogs.properties.target_resources.0.display_name": "keyword",
    "azure.signinlogs.properties.authentication_details.authentication_method": "keyword",
    "azure.signinlogs.properties.authentication_processing_details": "keyword",
-    "azure.signinlogs.properties.token_protection_status_details.sign_in_session_status": "keyword"
+    "azure.signinlogs.properties.token_protection_status_details.sign_in_session_status": "keyword",
+    "azure.signinlogs.properties.session_id": "keyword",
+    "azure.signinlogs.properties.mfa_detail.auth_method": "keyword",
+    "azure.signinlogs.properties.client_credential_type": "keyword",
+    "azure.signinlogs.properties.app_owner_tenant_id": "keyword",
+    "azure.signinlogs.properties.resource_owner_tenant_id": "keyword"
  },
  "logs-azure.activitylogs-*": {
    "azure.activitylogs.properties.authentication_protocol": "keyword",
@@ -199,18 +205,22 @@
  "logs-azure.graphactivitylogs-*": {
    "azure.graphactivitylogs.properties.c_idtyp": "keyword",
    "azure.graphactivitylogs.properties.user_principal_object_id": "keyword",
-    "azure.graphactivitylogs.properties.requestUri": "keyword"
+    "azure.graphactivitylogs.properties.requestUri": "keyword",
+    "azure.graphactivitylogs.properties.c_sid": "keyword"
  },
  "logs-azure.auditlogs-*": {
    "azure.auditlogs.properties.target_resources.0.modified_properties.1.display_name": "keyword",
    "azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value": "keyword",
    "azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value": "keyword",
    "azure.auditlogs.properties.target_resources.0.modified_properties.2.new_value": "keyword",
-    "azure.auditlogs.properties.additional_details.value": "keyword"
+    "azure.auditlogs.properties.additional_details.value": "keyword",
+    "azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value": "keyword",
+    "azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value": "keyword"
  },
  "logs-azure.platformlogs-*": {
    "azure.platformlogs.identity.claim.upn": "keyword",
-    "azure.platformlogs.properties.id": "keyword"
+    "azure.platformlogs.properties.id": "keyword",
+    "azure.platformlogs.identity.claim.appid": "keyword"
  },
   "logs-o365.audit-*": {
     "o365.audit.ExtendedProperties.RequestType": "keyword",
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.4.7"
+version = "1.4.8"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2024/05/01"
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -85,10 +85,11 @@ timestamp_override = "event.ingested"
 type = "esql"

 query = '''
-from logs-aws.cloudtrail*
+from logs-aws.cloudtrail-*

 | where
-  event.provider == "s3.amazonaws.com"
+  event.dataset == "aws.cloudtrail"
+  and event.provider == "s3.amazonaws.com"
  and aws.cloudtrail.error_code == "AccessDenied"
  and tls.client.server_name is not null
  and cloud.account.id is not null
@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -96,7 +96,7 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
    "%{{?bucket.name.key}=%{Esql.aws_cloudtrail_request_parameters_bucket_name}, %{?host.key}=%{Esql_priv.aws_cloudtrail_request_parameters_host}, %{?bucket.object.location.key}=%{Esql.aws_cloudtrail_request_parameters_bucket_object_location}}"

 // Extract file name portion from full object path
-| dissect Esql.aws_cloudtrail_request_parameters_object_location "%{}static/js/%{Esql.aws_cloudtrail_request_parameters_object_key}"
+| dissect Esql.aws_cloudtrail_request_parameters_bucket_object_location "%{}static/js/%{Esql.aws_cloudtrail_request_parameters_object_key}"

 // Match on JavaScript files
 | where ends_with(Esql.aws_cloudtrail_request_parameters_object_key, ".js")
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2024/11/25"
+integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2024/05/02"
+integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2024/05/02"
+integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2024/05/05"
+integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2024/05/04"
+integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2024/05/02"
+integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2024/11/20"
+integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2024/11/20"
+integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2024/11/20"
+integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -2,7 +2,7 @@
 creation_date = "2025/04/28"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/26"

 [rule]
 author = ["Elastic"]
@@ -69,7 +69,7 @@ timestamp_override = "event.ingested"
 type = "esql"

 query = '''
-from logs-azure.signinlogs* metadata _id, _version, _index
+from logs-azure.signinlogs-* metadata _id, _version, _index

 // Scheduled to run every hour, reviewing events from past hour
 | where
@@ -2,7 +2,7 @@
 creation_date = "2024/12/11"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/31"
+updated_date = "2025/09/26"

 [rule]
 author = ["Elastic"]
@@ -85,7 +85,7 @@ timestamp_override = "event.ingested"
 type = "esql"

 query = '''
-from logs-azure.signinlogs* metadata _id, _version, _index
+from logs-azure.signinlogs-* metadata _id, _version, _index

 | where
    // filter for Entra Sign-in Logs
@@ -2,7 +2,7 @@
 creation_date = "2025/07/10"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/24"
+updated_date = "2025/09/26"

 [rule]
 author = ["Elastic"]
@@ -121,7 +121,6 @@ from logs-azure.platformlogs-* metadata _id, _index
    Esql_priv.azure_platformlogs_identity_claim_upn_values = values(azure.platformlogs.identity.claim.upn),
    Esql.azure_platformlogs_identity_claim_upn_count_distinct = count_distinct(azure.platformlogs.identity.claim.upn),
    Esql.azure_platformlogs_identity_claim_appid_values = values(azure.platformlogs.identity.claim.appid),
-    Esql.azure_platformlogs_identity_claim_objectid_values = values(azure.platformlogs.identity.claim.objectid),

    Esql.source_ip_values = values(source.ip),
    Esql.geo_city_values = values(geo.city_name),
@@ -150,7 +149,6 @@ by Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn
    Esql_priv.azure_platformlogs_identity_claim_upn_values,
    Esql.azure_platformlogs_identity_claim_upn_count_distinct,
    Esql.azure_platformlogs_identity_claim_appid_values,
-    Esql.azure_platformlogs_identity_claim_objectid_values,
    Esql.source_ip_values,
    Esql.geo_city_values,
    Esql.geo_region_values,
@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/10"
+updated_date = "2025/09/26"

 [rule]
 author = ["Elastic"]
@@ -88,7 +88,7 @@ timestamp_override = "event.ingested"
 type = "esql"

 query = '''
-from logs-azure.signinlogs*
+from logs-azure.signinlogs-*

 // Define a time window for grouping and maintain the original event timestamp
 | eval Esql.time_window_date_trunc = date_trunc(15 minutes, @timestamp)
@@ -2,7 +2,7 @@
 creation_date = "2025/07/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/26"

 [rule]
 author = ["Elastic"]
@@ -84,7 +84,7 @@ timestamp_override = "event.ingested"
 type = "esql"

 query = '''
-from logs-azure.signinlogs*
+from logs-azure.signinlogs-*

 | eval
    Esql.time_window_date_trunc = date_trunc(30 minutes, @timestamp),
@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/26"

 [rule]
 author = ["Elastic"]
@@ -88,7 +88,7 @@ timestamp_override = "event.ingested"
 type = "esql"

 query = '''
-from logs-azure.signinlogs*
+from logs-azure.signinlogs-*

 | eval
    Esql.time_window_date_trunc = date_trunc(15 minutes, @timestamp),
@@ -2,7 +2,7 @@
 creation_date = "2021/01/04"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/21"
+updated_date = "2025/09/26"

 [rule]
 author = ["Elastic", "Willem D'Haese"]
@@ -13,7 +13,7 @@ provide specific details about how risk is calculated, each level brings higher
 compromised.
 """
 from = "now-9m"
-index = ["filebeat-*", "logs-azure.signinlogs*"]
+index = ["filebeat-*", "logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Microsoft Entra ID High Risk Sign-in"
@@ -2,7 +2,7 @@
 creation_date = "2025/04/30"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/26"

 [rule]
 author = ["Elastic"]
@@ -89,7 +89,7 @@ timestamp_override = "event.ingested"
 type = "esql"

 query = '''
-from logs-azure.signinlogs* metadata _id, _version, _index
+from logs-azure.signinlogs-* metadata _id, _version, _index
 | where
    event.dataset == "azure.signinlogs" and
    event.outcome == "success" and
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2025/02/25"
+integration = ["azure_openai"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2025/02/25"
+integration = ["azure_openai"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2025/02/25"
+integration = ["azure_openai"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -2,7 +2,7 @@
 creation_date = "2023/11/08"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -86,7 +86,7 @@ from logs-okta*
        "user.authentication.sso"
    ) and
    okta.actor.alternate_id != "system@okta.com" and
-    okta.actor.alternate_id rlike "[^@\s]+\@[^@\s]+" and
+    okta.actor.alternate_id rlike "[^@\\s]+\\@[^@\\s]+" and
    okta.authentication_context.external_session_id != "unknown"
 | keep
    event.action,
@@ -2,7 +2,7 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -93,7 +93,7 @@ query = '''
 from logs-okta*
 | where
    event.dataset == "okta.system" and
-    (event.action == "user.session.start" or event.action rlike "user\.authentication(.*)") and
+    (event.action == "user.session.start" or event.action like "user.authentication.*") and
    okta.outcome.reason == "INVALID_CREDENTIALS"
 | keep
    okta.client.ip,
@@ -2,7 +2,7 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -90,7 +90,7 @@ query = '''
 from logs-okta*
 | where
    event.dataset == "okta.system" and
-    (event.action rlike "user\.authentication(.*)" or event.action == "user.session.start") and
+    (event.action like "user.authentication.*" or event.action == "user.session.start") and
    okta.debug_context.debug_data.dt_hash != "-" and
    okta.outcome.reason == "INVALID_CREDENTIALS"
 | keep
@@ -2,7 +2,7 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -94,7 +94,7 @@ query = '''
 from logs-okta*
 | where
    event.dataset == "okta.system" and
-    (event.action rlike "user\.authentication(.*)" or event.action == "user.session.start") and
+    (event.action like "user.authentication.*" or event.action == "user.session.start") and
    okta.debug_context.debug_data.request_uri == "/api/v1/authn" and
    okta.outcome.reason == "INVALID_CREDENTIALS"
 | keep
@@ -2,7 +2,7 @@
 creation_date = "2023/11/18"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/25"

 [rule]
 author = ["Elastic"]
@@ -80,7 +80,7 @@ query = '''
 from logs-okta*
 | where
    event.dataset == "okta.system" and
-    (event.action rlike "user\.authentication(.*)" or event.action == "user.session.start") and
+    (event.action like "user.authentication.*" or event.action == "user.session.start") and
    okta.security_context.is_proxy != true and
    okta.actor.id != "unknown" and
    event.outcome == "success"