diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 039b2ec52..a4a745436 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index cb70034f8..4c15c1ba9 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/pyproject.toml b/pyproject.toml index 608cd9e38..04c42fc3c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.6.2" +version = "1.6.3" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/cross-platform/defense_evasion_potential_http_downgrade_attack.toml b/rules/cross-platform/defense_evasion_potential_http_downgrade_attack.toml index b44fced46..82d2fbe53 100644 --- a/rules/cross-platform/defense_evasion_potential_http_downgrade_attack.toml +++ b/rules/cross-platform/defense_evasion_potential_http_downgrade_attack.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/11/27" -integration = ["nginx", "apache", "apache_tomcat"] +integration = ["nginx", "apache", "apache_tomcat", "traefik"] maturity = "production" -updated_date = "2025/12/08" +updated_date = "2026/03/16" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ index = [ "logs-nginx.access-*", "logs-apache.access-*", "logs-apache_tomcat.access-*", + "logs-traefik.access-*", ] language = "kuery" license = "Elastic License v2" @@ -63,6 +64,7 @@ tags = [ "Data Source: Nginx", "Data Source: Apache", "Data Source: Apache Tomcat", + "Data Source: Traefik", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml index 0957715ca..e2a5a73ca 100644 --- a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml +++ b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2025/12/02" -integration = ["nginx", "apache", "apache_tomcat", "iis"] +integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2025/12/08" +updated_date = "2026/03/16" [rule] author = ["Elastic"] @@ -60,6 +60,7 @@ tags = [ "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", + "Data Source: Traefik", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -69,7 +70,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, - logs-iis.access-* + logs-iis.access-*, + logs-traefik.access-* | where http.request.method == "GET" and http.response.status_code == 200 and diff --git a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml index acf06763a..42a22dc40 100644 --- a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml +++ b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2025/12/02" -integration = ["nginx", "apache", "apache_tomcat", "iis"] +integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2025/12/08" +updated_date = "2026/03/16" [rule] author = ["Elastic"] @@ -62,6 +62,7 @@ tags = [ "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", + "Data Source: Traefik", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -71,7 +72,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, - logs-iis.access-* + logs-iis.access-*, + logs-traefik.access-* | where http.request.method == "GET" and http.response.status_code == 200 and diff --git a/rules/cross-platform/persistence_web_server_potential_command_injection.toml b/rules/cross-platform/persistence_web_server_potential_command_injection.toml index 9d4d87b10..285357951 100644 --- a/rules/cross-platform/persistence_web_server_potential_command_injection.toml +++ b/rules/cross-platform/persistence_web_server_potential_command_injection.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/11/19" -integration = ["nginx", "apache", "apache_tomcat", "iis"] +integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2025/12/05" +updated_date = "2026/03/16" [rule] author = ["Elastic"] @@ -64,12 +64,13 @@ tags = [ "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", + "Data Source: Traefik", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" query = ''' -from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-* +from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-* | where // Limit to 200 response code to reduce noise http.response.status_code == 200 diff --git a/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml b/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml index 0565c4ae3..91ee05cae 100644 --- a/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml +++ b/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/11/19" -integration = ["nginx", "apache", "apache_tomcat", "iis"] +integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2025/12/05" +updated_date = "2026/03/16" [rule] author = ["Elastic"] @@ -58,12 +58,13 @@ tags = [ "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", + "Data Source: Traefik", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" query = ''' -from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-* +from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-* | where http.request.method == "GET" and http.response.status_code in (404, 403) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml index 54edd8307..bc28da9bd 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/11/19" -integration = ["nginx", "apache", "apache_tomcat", "iis"] +integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2025/12/05" +updated_date = "2026/03/16" [rule] author = ["Elastic"] @@ -59,12 +59,13 @@ tags = [ "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", + "Data Source: Traefik", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" query = ''' -from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-* +from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-* | where http.request.method == "GET" and http.response.status_code in ( diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml index 4eaf73c5e..013aa8703 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/11/19" -integration = ["nginx", "apache", "apache_tomcat", "iis"] +integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2025/12/05" +updated_date = "2026/03/16" [rule] author = ["Elastic"] @@ -59,12 +59,13 @@ tags = [ "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", + "Data Source: Traefik", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "esql" query = ''' -from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-* +from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-* | eval Esql.user_agent_original_to_lower = to_lower(user_agent.original), Esql.url_original_to_lower = to_lower(url.original) diff --git a/rules_building_block/persistence_web_server_potential_sql_injection.toml b/rules_building_block/persistence_web_server_potential_sql_injection.toml index aabfd7ac7..a6611cbeb 100644 --- a/rules_building_block/persistence_web_server_potential_sql_injection.toml +++ b/rules_building_block/persistence_web_server_potential_sql_injection.toml @@ -1,9 +1,9 @@ [metadata] bypass_bbr_timing = true creation_date = "2025/11/19" -integration = ["nginx", "apache", "apache_tomcat", "iis"] +integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2025/11/19" +updated_date = "2026/03/16" [rule] author = ["Elastic"] @@ -18,7 +18,8 @@ index = [ "logs-nginx.access-*", "logs-apache.access-*", "logs-apache_tomcat.access-*", - "logs-iis.access-*" + "logs-iis.access-*", + "logs-traefik.access-*" ] interval = "10m" language = "eql" @@ -39,6 +40,7 @@ tags = [ "Data Source: Apache", "Data Source: Apache Tomcat", "Data Source: IIS", + "Data Source: Traefik", "Rule Type: BBR", ] timestamp_override = "event.ingested"