security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "[Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules (#5578)" (#5620)

Browse Source 
This reverts commit c608b673bf.
This commit is contained in:
Mika Ayenson, PhD
2026-01-26 08:31:53 -06:00
committed by GitHub
parent 7221db6b36
commit bbe83452b4
15 changed files with 34 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/integration-manifests.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-schemas.json.gz
BIN
View File
Binary file not shown.
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.5.32"
version = "1.5.31"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
rules/linux/command_and_control_kubectl_networking_modification.toml
+3 -5
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/19"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2026/01/19"
updated_date = "2025/07/07"
[rule]
author = ["Elastic"]
@@ -18,7 +18,6 @@ index = [
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -97,7 +96,6 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
@@ -106,7 +104,7 @@ query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
process.name == "kubectl" and (
process.args == "port-forward" and process.args like "*:*" or
process.args == "port-forward" and process.command_line like "*:*" or
process.args in ("proxy", "expose")
) and (
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or
rules/linux/defense_evasion_potential_kubectl_impersonation.toml
+2 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/19"
integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "cloud_defend"]
integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2026/01/19"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -21,7 +21,6 @@ index = [
"logs-auditd_manager.auditd-*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -101,7 +100,6 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/linux/defense_evasion_potential_kubectl_masquerading.toml
+3 -5
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/19"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2026/01/19"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -18,7 +18,6 @@ index = [
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -100,7 +99,6 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
@@ -112,7 +110,7 @@ event.action in ("exec", "exec_event", "start", "executed", "process_started") a
process.executable like~ ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/var/www/*", "./kubectl") or
process.name like ".*"
) and
process.args like~ (
process.command_line like~ (
// get and describe commands
"*get po*", "*get deploy*", "*get node*", "*get svc*", "*get service*", "*get secret*", "*get clusterrole*", "*get ingress*",
rules/linux/discovery_docker_socket_discovery.toml
+3 -5
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/03/04"
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2026/01/19"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -21,7 +21,6 @@ index = [
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -101,7 +100,6 @@ tags = [
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
@@ -110,7 +108,7 @@ query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name in ("curl", "socat", "nc", "netcat", "ncat", "nc.traditional") and
process.args like ("*/var/run/docker.sock*", "*/run/docker.sock*") and
process.command_line like ("*/var/run/docker.sock*", "*/run/docker.sock*") and
process.parent.executable != null and
not (
process.parent.executable in ("/usr/sbin/sshd", "/www/server/panel/BT-Panel") or
rules/linux/discovery_kubeconfig_file_discovery.toml
+2 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/17"
integration = ["endpoint", "cloud_defend"]
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/01/19"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -17,7 +17,6 @@ directories.
from = "now-9m"
index = [
"logs-endpoint.events.process*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -98,7 +97,6 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/linux/discovery_kubectl_permission_discovery.toml
+2 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/17"
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2026/01/19"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -19,7 +19,6 @@ index = [
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -102,7 +101,6 @@ tags = [
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/linux/execution_kubectl_apply_pod_from_url.toml
+3 -5
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/27"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager", "cloud_defend"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
maturity = "production"
updated_date = "2026/01/19"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -19,7 +19,6 @@ index = [
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-auditd_manager.auditd-*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -98,7 +97,6 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
@@ -108,7 +106,7 @@ process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "process_started", "executed") and
process.name == "kubectl" and process.args == "apply" and
process.args like ("http://*", "https://*") and
not ?process.command_line like ("*download.elastic.co*", "*github.com/kubernetes-sigs/*")
not process.command_line like ("*download.elastic.co*", "*github.com/kubernetes-sigs/*")
'''
[[rule.threat]]
rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml
+2 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/23"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager", "cloud_defend"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
maturity = "production"
updated_date = "2026/01/19"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -20,7 +20,6 @@ index = [
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-auditd_manager.auditd-*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -102,7 +101,6 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide"
]
timestamp_override = "event.ingested"
rules/linux/lateral_movement_kubeconfig_file_activity.toml
+4 -5
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/17"
integration = ["endpoint", "cloud_defend"]
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/01/19"
updated_date = "2025/12/19"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ create or modify kubeconfig files to gain unauthorized initial access to Kuberne
move laterally within the cluster.
"""
from = "now-9m"
index = ["logs-endpoint.events.file*", "logs-cloud_defend.file*"]
index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "Kubeconfig File Creation or Modification"
@@ -95,7 +95,6 @@ tags = [
"Tactic: Defense Evasion",
"Tactic: Initial Access",
"Data Source: Elastic Defend",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
@@ -112,7 +111,7 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path li
"/var/lib/*/kubeconfig"
) and not (
process.name in ("kubeadm", "kubelet", "vcluster", "minikube", "kind") or
(process.name == "sed" and ?file.Ext.original.name like "sed*") or
(process.name == "sed" and file.Ext.original.name like "sed*") or
process.executable like (
"/usr/local/bin/k3d", "/usr/local/aws-cli/*/dist/aws", "/usr/local/bin/ks", "/usr/local/bin/aws",
"/usr/local/bin/kubectl"
rules/linux/persistence_kubernetes_sensitive_file_activity.toml
+3 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/26"
integration = ["endpoint", "cloud_defend"]
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/01/19"
updated_date = "2025/12/22"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ vulnerabilities in Kubernetes environments. Attackers may attempt to modify thes
deploy malicious containers within the Kubernetes cluster.
"""
from = "now-9m"
index = ["logs-endpoint.events.file*", "logs-cloud_defend.file*"]
index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "Kubernetes Sensitive Configuration File Activity"
@@ -90,7 +90,6 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Defend",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules_building_block/discovery_kubectl_configuration_discovery.toml
+3 -5
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/19"
integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"]
integration = ["endpoint", "auditd_manager", "crowdstrike"]
maturity = "production"
updated_date = "2026/01/19"
updated_date = "2025/12/24"
[rule]
author = ["Elastic"]
@@ -19,8 +19,7 @@ index = [
"endgame-*",
"auditbeat-*",
"logs-auditd_manager.auditd-*",
"logs-crowdstrike.fdr*",
"logs-cloud_defend.process*"
"logs-crowdstrike.fdr*"
]
interval = "60m"
language = "eql"
@@ -41,7 +40,6 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: Elastic Defend for Containers",
]
timestamp_override = "event.ingested"
type = "eql"
rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml
+3 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/19"
integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"]
integration = ["endpoint", "auditd_manager", "crowdstrike"]
maturity = "production"
updated_date = "2026/01/19"
updated_date = "2025/10/17"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ resources. In environments where kubectl is not expected to be used, this could
reconnaissance activity by an adversary.
"""
from = "now-119m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-cloud_defend.process*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"]
interval = "60m"
language = "eql"
license = "Elastic License v2"
@@ -35,7 +35,6 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: Elastic Defend for Containers",
]
timestamp_override = "event.ingested"
type = "eql"