security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules (#5578)

Browse Source 
* [Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules

* Update manifests & schemas

* [New/Updated] Migrated `process.command_line` --> `process.args` for Compatibility

* Pyproject.toml Patch

* ++
This commit is contained in:
Ruben Groenewoud
2026-01-26 13:28:08 +01:00
committed by GitHub
parent 5b092d7831
commit c608b673bf
15 changed files with 55 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/integration-manifests.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-schemas.json.gz
BIN
View File
Binary file not shown.
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.5.31"
version = "1.5.32"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
rules/linux/command_and_control_kubectl_networking_modification.toml
+5 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/19"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
maturity = "production"
updated_date = "2025/07/07"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -18,6 +18,7 @@ index = [
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -96,6 +97,7 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
@@ -104,7 +106,7 @@ query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
process.name == "kubectl" and (
process.args == "port-forward" and process.command_line like "*:*" or
process.args == "port-forward" and process.args like "*:*" or
process.args in ("proxy", "expose")
) and (
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or
rules/linux/defense_evasion_potential_kubectl_impersonation.toml
+4 -2
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/19"
integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "cloud_defend"]
maturity = "production"
updated_date = "2025/12/18"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -21,6 +21,7 @@ index = [
"logs-auditd_manager.auditd-*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -100,6 +101,7 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/linux/defense_evasion_potential_kubectl_masquerading.toml
+5 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/19"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
maturity = "production"
updated_date = "2025/12/18"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -18,6 +18,7 @@ index = [
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -99,6 +100,7 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
@@ -110,7 +112,7 @@ event.action in ("exec", "exec_event", "start", "executed", "process_started") a
process.executable like~ ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/var/www/*", "./kubectl") or
process.name like ".*"
) and
process.command_line like~ (
process.args like~ (
// get and describe commands
"*get po*", "*get deploy*", "*get node*", "*get svc*", "*get service*", "*get secret*", "*get clusterrole*", "*get ingress*",
rules/linux/discovery_docker_socket_discovery.toml
+5 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/03/04"
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
maturity = "production"
updated_date = "2025/12/18"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -21,6 +21,7 @@ index = [
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -100,6 +101,7 @@ tags = [
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
@@ -108,7 +110,7 @@ query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name in ("curl", "socat", "nc", "netcat", "ncat", "nc.traditional") and
process.command_line like ("*/var/run/docker.sock*", "*/run/docker.sock*") and
process.args like ("*/var/run/docker.sock*", "*/run/docker.sock*") and
process.parent.executable != null and
not (
process.parent.executable in ("/usr/sbin/sshd", "/www/server/panel/BT-Panel") or
rules/linux/discovery_kubeconfig_file_discovery.toml
+4 -2
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/17"
integration = ["endpoint"]
integration = ["endpoint", "cloud_defend"]
maturity = "production"
updated_date = "2025/12/18"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -17,6 +17,7 @@ directories.
from = "now-9m"
index = [
"logs-endpoint.events.process*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -97,6 +98,7 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/linux/discovery_kubectl_permission_discovery.toml
+4 -2
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/17"
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
maturity = "production"
updated_date = "2025/12/18"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -19,6 +19,7 @@ index = [
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -101,6 +102,7 @@ tags = [
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/linux/execution_kubectl_apply_pod_from_url.toml
+5 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/27"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager", "cloud_defend"]
maturity = "production"
updated_date = "2025/12/18"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -19,6 +19,7 @@ index = [
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-auditd_manager.auditd-*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -97,6 +98,7 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
@@ -106,7 +108,7 @@ process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "process_started", "executed") and
process.name == "kubectl" and process.args == "apply" and
process.args like ("http://*", "https://*") and
not process.command_line like ("*download.elastic.co*", "*github.com/kubernetes-sigs/*")
not ?process.command_line like ("*download.elastic.co*", "*github.com/kubernetes-sigs/*")
'''
[[rule.threat]]
rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml
+4 -2
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/23"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager", "cloud_defend"]
maturity = "production"
updated_date = "2025/12/18"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -20,6 +20,7 @@ index = [
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"logs-auditd_manager.auditd-*",
"logs-cloud_defend.process*",
]
language = "eql"
license = "Elastic License v2"
@@ -101,6 +102,7 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide"
]
timestamp_override = "event.ingested"
rules/linux/lateral_movement_kubeconfig_file_activity.toml
+5 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/17"
integration = ["endpoint"]
integration = ["endpoint", "cloud_defend"]
maturity = "production"
updated_date = "2025/12/19"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ create or modify kubeconfig files to gain unauthorized initial access to Kuberne
move laterally within the cluster.
"""
from = "now-9m"
index = ["logs-endpoint.events.file*"]
index = ["logs-endpoint.events.file*", "logs-cloud_defend.file*"]
language = "eql"
license = "Elastic License v2"
name = "Kubeconfig File Creation or Modification"
@@ -95,6 +95,7 @@ tags = [
"Tactic: Defense Evasion",
"Tactic: Initial Access",
"Data Source: Elastic Defend",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
@@ -111,7 +112,7 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path li
"/var/lib/*/kubeconfig"
) and not (
process.name in ("kubeadm", "kubelet", "vcluster", "minikube", "kind") or
(process.name == "sed" and file.Ext.original.name like "sed*") or
(process.name == "sed" and ?file.Ext.original.name like "sed*") or
process.executable like (
"/usr/local/bin/k3d", "/usr/local/aws-cli/*/dist/aws", "/usr/local/bin/ks", "/usr/local/bin/aws",
"/usr/local/bin/kubectl"
rules/linux/persistence_kubernetes_sensitive_file_activity.toml
+4 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/26"
integration = ["endpoint"]
integration = ["endpoint", "cloud_defend"]
maturity = "production"
updated_date = "2025/12/22"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ vulnerabilities in Kubernetes environments. Attackers may attempt to modify thes
deploy malicious containers within the Kubernetes cluster.
"""
from = "now-9m"
index = ["logs-endpoint.events.file*"]
index = ["logs-endpoint.events.file*", "logs-cloud_defend.file*"]
language = "eql"
license = "Elastic License v2"
name = "Kubernetes Sensitive Configuration File Activity"
@@ -90,6 +90,7 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Defend",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules_building_block/discovery_kubectl_configuration_discovery.toml
+5 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/19"
integration = ["endpoint", "auditd_manager", "crowdstrike"]
integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"]
maturity = "production"
updated_date = "2025/12/24"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -19,7 +19,8 @@ index = [
"endgame-*",
"auditbeat-*",
"logs-auditd_manager.auditd-*",
"logs-crowdstrike.fdr*"
"logs-crowdstrike.fdr*",
"logs-cloud_defend.process*"
]
interval = "60m"
language = "eql"
@@ -40,6 +41,7 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: Elastic Defend for Containers",
]
timestamp_override = "event.ingested"
type = "eql"
rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml
+4 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/06/19"
integration = ["endpoint", "auditd_manager", "crowdstrike"]
integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"]
maturity = "production"
updated_date = "2025/10/17"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ resources. In environments where kubectl is not expected to be used, this could
reconnaissance activity by an adversary.
"""
from = "now-119m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-cloud_defend.process*"]
interval = "60m"
language = "eql"
license = "Elastic License v2"
@@ -35,6 +35,7 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: Elastic Defend for Containers",
]
timestamp_override = "event.ingested"
type = "eql"