security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] ESQL Dynamic unique value fields (#5569)

Browse Source 
* [Tuning] Extract dynamic field with 1 value to ECS fields for alerts exclusion

Extract dynamic field with 1 value to ECS fields for alerts exclusion:

Esql.host_id_values -> host.is
Esql.agent_id_values -> agent.id
Esql.host_name_values -> host.name

* Update multiple_alerts_by_host_ip_and_source_ip.toml

* Update newly_observed_elastic_defend_alert.toml

* Update defense_evasion_base64_decoding_activity.toml

* Update discovery_subnet_scanning_activity_from_compromised_host.toml

* Update persistence_web_server_sus_command_execution.toml

* Update persistence_web_server_sus_child_spawned.toml

* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/impact_potential_bruteforce_malware_infection.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_elastic_defend_alert.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_elastic_detection_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/credential_access_rare_webdav_destination.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update credential_access_rare_webdav_destination.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
This commit is contained in:
Samirbous
2026-01-26 16:34:16 +00:00
committed by GitHub
parent edf28367e4
commit 88e0b14709
13 changed files with 94 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_web_server_sus_command_execution.toml
+7 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/03/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/12/23"
updated_date = "2026/01/16"
[rule]
author = ["Elastic"]
@@ -167,6 +167,12 @@ from logs-endpoint.events.process-* metadata _id, _index, _version
Esql.agent_id_count_distinct == 1 and
Esql.event_count < 5
| sort Esql.event_count asc
// Extract unique values to ECS fields for alerts exclusion
| eval agent.id = mv_min(Esql.agent_id_values),
host.name = mv_min(Esql.host_name_values)
| keep agent.id, host.name, process.command_line, process.working_directory, process.parent.executable, Esql.*
'''
[[rule.threat]]