[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
* [Rule Tuning] Change event.dataset to data_stream.dataset * updating ESQL field names
This commit is contained in:
Terrance DeJesus
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/11/17"
|
||||
integration = ["endpoint", "fortinet_fortigate"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,7 +39,7 @@ tags = [
|
||||
type = "eql"
|
||||
query = '''
|
||||
sequence by source.port, source.ip, destination.ip with maxspan=1m
|
||||
[network where event.dataset == "fortinet_fortigate.log" and event.action == "signature" and network.application in ("SOCKS4", "SOCKS5")]
|
||||
[network where data_stream.dataset == "fortinet_fortigate.log" and event.action == "signature" and network.application in ("SOCKS4", "SOCKS5")]
|
||||
[network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
|
||||
'''
|
||||
note = """## Triage and analysis
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/12/10"
|
||||
integration = ["endpoint", "suricata"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -38,7 +38,7 @@ tags = [
|
||||
type = "eql"
|
||||
query = '''
|
||||
sequence by source.port, source.ip, destination.ip with maxspan=5s
|
||||
[network where event.dataset == "suricata.eve" and event.kind == "alert" and
|
||||
[network where data_stream.dataset == "suricata.eve" and event.kind == "alert" and
|
||||
event.severity != 3 and source.ip != null and destination.ip != null and
|
||||
not source.domain : ("*nessusscan*", "SCCMPS*") and
|
||||
not rule.name in ("ET INFO SMB2 NT Create AndX Request For a Powershell .ps1 File", "ET SCAN MS Terminal Server Traffic on Non-standard Port")]
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/12/01"
|
||||
integration = ["aws", "gcp", "azure", "kubernetes"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/26"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -126,26 +126,26 @@ FROM logs-azure.platformlogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-*, logs-ku
|
||||
| WHERE
|
||||
(
|
||||
/* AWS Secrets Manager */
|
||||
(event.dataset == "aws.cloudtrail" AND event.action == "GetSecretValue") OR
|
||||
(data_stream.dataset == "aws.cloudtrail" AND event.action == "GetSecretValue") OR
|
||||
|
||||
// Azure Key Vault (platform logs)
|
||||
(event.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or
|
||||
(data_stream.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or
|
||||
|
||||
/* Google Secret Manager */
|
||||
(event.dataset IN ("googlecloud.audit", "gcp.audit") AND
|
||||
(data_stream.dataset IN ("googlecloud.audit", "gcp.audit") AND
|
||||
event.action IN ("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest")) OR
|
||||
|
||||
/* Kubernetes Secrets */
|
||||
(event.dataset == "kubernetes.audit_logs" AND kubernetes.audit.objectRef.resource == "secrets" AND kubernetes.audit.verb IN ("get", "list"))
|
||||
(data_stream.dataset == "kubernetes.audit_logs" AND kubernetes.audit.objectRef.resource == "secrets" AND kubernetes.audit.verb IN ("get", "list"))
|
||||
|
||||
) AND source.ip IS NOT NULL
|
||||
|
||||
// Cloud vendor label based on dataset
|
||||
| EVAL Esql.cloud_vendor = CASE(
|
||||
event.dataset == "aws.cloudtrail", "aws",
|
||||
event.dataset == "azure.platformlogs", "azure",
|
||||
event.dataset IN ("googlecloud.audit","gcp.audit"), "gcp",
|
||||
event.dataset == "kubernetes.audit_logs", "k8s",
|
||||
data_stream.dataset == "aws.cloudtrail", "aws",
|
||||
data_stream.dataset == "azure.platformlogs", "azure",
|
||||
data_stream.dataset IN ("googlecloud.audit","gcp.audit"), "gcp",
|
||||
data_stream.dataset == "kubernetes.audit_logs", "k8s",
|
||||
"unknown"
|
||||
)
|
||||
// Vendor+tenant label, e.g. aws:123456789012, azure:tenant, gcp:project
|
||||
@@ -163,7 +163,7 @@ FROM logs-azure.platformlogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-*, logs-ku
|
||||
Esql.vendor_count_distinct = COUNT_DISTINCT(Esql.cloud_vendor),
|
||||
// Action & data source context
|
||||
Esql.event_action_values = VALUES(event.action),
|
||||
Esql.data_source_values = VALUES(event.dataset),
|
||||
Esql.data_source_values = VALUES(data_stream.dataset),
|
||||
// Cloud vendor + tenant context
|
||||
Esql.cloud_vendor_values = VALUES(Esql.cloud_vendor),
|
||||
Esql.tenant_label_values = VALUES(Esql.tenant_label),
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2026/02/10"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/09"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -72,7 +72,7 @@ type = "eql"
|
||||
|
||||
query = '''
|
||||
sequence by host.id with maxspan=5m
|
||||
[any where event.dataset == "endpoint.alerts"]
|
||||
[any where data_stream.dataset == "endpoint.alerts"]
|
||||
![any where event.category in ("process", "library", "registry", "network", "dns", "file")]
|
||||
'''
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
|
||||
maturity = "production"
|
||||
min_stack_version = "9.2.0"
|
||||
min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -144,7 +144,7 @@ from
|
||||
agent.name,
|
||||
http.request.method,
|
||||
http.response.status_code,
|
||||
event.dataset,
|
||||
data_stream.dataset,
|
||||
data_stream.namespace
|
||||
|
||||
| stats
|
||||
@@ -155,7 +155,7 @@ from
|
||||
Esql.http_request_method_values = values(http.request.method),
|
||||
Esql.http_response_status_code_values = values(http.response.status_code),
|
||||
Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower),
|
||||
Esql.event_dataset_values = values(event.dataset),
|
||||
Esql.data_stream_dataset_values = values(data_stream.dataset),
|
||||
Esql.data_stream_namespace_values = values(data_stream.namespace)
|
||||
by source.ip
|
||||
'''
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
|
||||
maturity = "production"
|
||||
min_stack_version = "9.2.0"
|
||||
min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -97,7 +97,7 @@ from
|
||||
agent.name,
|
||||
http.request.method,
|
||||
http.response.status_code,
|
||||
event.dataset,
|
||||
data_stream.dataset,
|
||||
data_stream.namespace
|
||||
|
||||
| stats
|
||||
@@ -108,7 +108,7 @@ from
|
||||
Esql.http_request_method_values = values(http.request.method),
|
||||
Esql.http_response_status_code_values = values(http.response.status_code),
|
||||
Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower),
|
||||
Esql.event_dataset_values = values(event.dataset),
|
||||
Esql.data_stream_dataset_values = values(data_stream.dataset),
|
||||
Esql.data_stream_namespace_values = values(data_stream.namespace)
|
||||
by source.ip
|
||||
'''
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/11/23"
|
||||
integration = ["aws", "endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -101,14 +101,14 @@ FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version
|
||||
| WHERE
|
||||
// CloudTrail SSM SendCommand with AWS-RunShellScript
|
||||
(
|
||||
event.dataset == "aws.cloudtrail"
|
||||
data_stream.dataset == "aws.cloudtrail"
|
||||
AND event.action == "SendCommand"
|
||||
AND aws.cloudtrail.request_parameters LIKE "*documentName=AWS-RunShellScript*"
|
||||
)
|
||||
// Linux endpoint process events, prefiltered to SSM shell runner OR LOLBins/GTFOBins
|
||||
OR
|
||||
(
|
||||
event.dataset == "endpoint.events.process"
|
||||
data_stream.dataset == "endpoint.events.process"
|
||||
AND host.os.type == "linux"
|
||||
AND (
|
||||
// SSM shell (_script.sh) runner
|
||||
@@ -149,8 +149,8 @@ FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version
|
||||
| WHERE Esql.aws_ssm_command_id IS NOT NULL
|
||||
|
||||
// Role flags
|
||||
| EVAL Esql.is_cloud_event = event.dataset == "aws.cloudtrail"
|
||||
| EVAL Esql.is_endpoint_event = event.dataset == "endpoint.events.process"
|
||||
| EVAL Esql.is_cloud_event = data_stream.dataset == "aws.cloudtrail"
|
||||
| EVAL Esql.is_endpoint_event = data_stream.dataset == "endpoint.events.process"
|
||||
|
||||
// Identify the SSM shell processes (the _script.sh runners)
|
||||
| EVAL Esql.is_ssm_shell_process =
|
||||
|
||||
+2
-2
@@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
|
||||
min_stack_version = "9.3.0"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -105,7 +105,7 @@ sequence with maxspan=1s
|
||||
)
|
||||
) and process.interactive == true and container.id like "*"
|
||||
] by orchestrator.resource.name
|
||||
[any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name`
|
||||
[any where data_stream.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name`
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
+2
-2
@@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
|
||||
min_stack_version = "9.3.0"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -107,7 +107,7 @@ sequence with maxspan=1s
|
||||
)
|
||||
) and process.interactive == true and container.id like "*"
|
||||
] by orchestrator.resource.name
|
||||
[any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted") and
|
||||
[any where data_stream.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted") and
|
||||
`kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid"
|
||||
] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name`
|
||||
'''
|
||||
|
||||
+2
-2
@@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
|
||||
min_stack_version = "9.3.0"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -113,7 +113,7 @@ sequence with maxspan=1s
|
||||
)
|
||||
)] by orchestrator.resource.name
|
||||
[any where
|
||||
event.dataset == "kubernetes.audit_logs" and
|
||||
data_stream.dataset == "kubernetes.audit_logs" and
|
||||
kubernetes.audit.stage in ("ResponseStarted","ResponseComplete") and
|
||||
kubernetes.audit.verb in ("get", "list", "watch", "create", "patch", "update") and
|
||||
(
|
||||
|
||||
+2
-2
@@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
|
||||
min_stack_version = "9.3.0"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -84,7 +84,7 @@ sequence with maxspan=60s
|
||||
[file where host.os.type == "linux" and event.type == "change" and event.action == "open" and
|
||||
file.path in ("/var/run/secrets/kubernetes.io/serviceaccount/token", "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt") and
|
||||
process.interactive == true and container.id like "*"] by orchestrator.resource.name
|
||||
[any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name`
|
||||
[any where data_stream.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name`
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2026/03/26"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/04/06"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -98,7 +98,7 @@ FROM logs-endpoint.events.process-* METADATA _id, _version, _index
|
||||
process.parent.entity_id,
|
||||
agent.id,
|
||||
host.name,
|
||||
event.dataset,
|
||||
data_stream.dataset,
|
||||
data_stream.namespace
|
||||
|
||||
| STATS
|
||||
@@ -107,7 +107,7 @@ FROM logs-endpoint.events.process-* METADATA _id, _version, _index
|
||||
Esql.process_command_line_values = VALUES(process.command_line),
|
||||
Esql.host_name_values = values(host.name),
|
||||
Esql.agent_id_values = values(agent.id),
|
||||
Esql.event_dataset_values = values(event.dataset),
|
||||
Esql.data_stream_dataset_values = values(data_stream.dataset),
|
||||
Esql.data_stream_namespace_values = values(data_stream.namespace)
|
||||
BY process.parent.entity_id, agent.id, host.name, Esql.time_window_date_trunc
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/04/29"
|
||||
integration = ["azure", "o365"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/12/10"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -82,7 +82,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
|
||||
| where @timestamp > now() - 8 hours
|
||||
// filter for azure or m365 sign-in and external alerts with source.ip not null
|
||||
| where to_ip(source.ip) is not null
|
||||
and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa")
|
||||
and (data_stream.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa")
|
||||
and not cidr_match(
|
||||
to_ip(source.ip),
|
||||
"10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
|
||||
@@ -93,13 +93,13 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
|
||||
)
|
||||
|
||||
// capture relevant raw fields
|
||||
| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.rule_id, event.category
|
||||
| keep source.ip, event.action, event.outcome, data_stream.dataset, kibana.alert.rule.rule_id, event.category
|
||||
|
||||
// classify each source ip based on alert type
|
||||
| eval
|
||||
Esql.source_ip_mail_access_case = case(event.dataset == "o365.audit" and event.action == "MailItemsAccessed" and event.outcome == "success", to_ip(source.ip), null),
|
||||
Esql.source_ip_azure_signin_case = case(event.dataset == "azure.signinlogs" and event.outcome == "success", to_ip(source.ip), null),
|
||||
Esql.source_ip_network_alert_case = case(kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa" and not event.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null)
|
||||
Esql.source_ip_mail_access_case = case(data_stream.dataset == "o365.audit" and event.action == "MailItemsAccessed" and event.outcome == "success", to_ip(source.ip), null),
|
||||
Esql.source_ip_azure_signin_case = case(data_stream.dataset == "azure.signinlogs" and event.outcome == "success", to_ip(source.ip), null),
|
||||
Esql.source_ip_network_alert_case = case(kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa" and not data_stream.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null)
|
||||
|
||||
// aggregate by source ip
|
||||
| stats
|
||||
@@ -107,8 +107,8 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
|
||||
Esql.source_ip_mail_access_case_count_distinct = count_distinct(Esql.source_ip_mail_access_case),
|
||||
Esql.source_ip_azure_signin_case_count_distinct = count_distinct(Esql.source_ip_azure_signin_case),
|
||||
Esql.source_ip_network_alert_case_count_distinct = count_distinct(Esql.source_ip_network_alert_case),
|
||||
Esql.event_dataset_count_distinct = count_distinct(event.dataset),
|
||||
Esql.event_dataset_values = values(event.dataset),
|
||||
Esql.data_stream_dataset_count_distinct = count_distinct(data_stream.dataset),
|
||||
Esql.data_stream_dataset_values = values(data_stream.dataset),
|
||||
Esql.kibana_alert_rule_id_values = values(kibana.alert.rule.rule_id),
|
||||
Esql.event_category_values = values(event.category)
|
||||
by Esql.source_ip = to_ip(source.ip)
|
||||
@@ -116,7 +116,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
|
||||
// correlation condition
|
||||
| where
|
||||
Esql.source_ip_network_alert_case_count_distinct > 0
|
||||
and Esql.event_dataset_count_distinct >= 2
|
||||
and Esql.data_stream_dataset_count_distinct >= 2
|
||||
and (Esql.source_ip_mail_access_case_count_distinct > 0 or Esql.source_ip_azure_signin_case_count_distinct > 0)
|
||||
and Esql.event_count <= 100
|
||||
'''
|
||||
|
||||
+3
-3
@@ -3,7 +3,7 @@ creation_date = "2026/02/27"
|
||||
maturity = "production"
|
||||
min_stack_comments = "ES|QL inline stats became generally available in 9.3.0 and MV_INTERSECTION is in preview since 9.3."
|
||||
min_stack_version = "9.3.0"
|
||||
updated_date = "2026/02/27"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -74,7 +74,7 @@ FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* metadata _id, _versi
|
||||
),
|
||||
is_openclaw_spawn = process.parent.name in ("node", "node.exe") and (process.parent.command_line like "*openclaw*" or process.parent.command_line like "*moltbot*" or process.parent.command_line like "*clawdbot*")
|
||||
| WHERE process.Ext.ancestry IS NOT NULL and
|
||||
(event.dataset == "endpoint.alerts" or is_genai_spawn or is_openclaw_spawn)
|
||||
(data_stream.dataset == "endpoint.alerts" or is_genai_spawn or is_openclaw_spawn)
|
||||
// Identify GenAI tool spawn events and capture their entity_ids
|
||||
| EVAL genai_entity_id = CASE(is_genai_spawn or is_openclaw_spawn, process.parent.entity_id, NULL)
|
||||
|
||||
@@ -86,7 +86,7 @@ FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* metadata _id, _versi
|
||||
|
||||
// Elastic Defend alerts from a GenAI grandparent
|
||||
| WHERE Esql.genai_ancestor_ids IS NOT NULL
|
||||
AND event.dataset == "endpoint.alerts" AND not rule.name in (
|
||||
AND data_stream.dataset == "endpoint.alerts" AND not rule.name in (
|
||||
"Persistence via GenAI Tool",
|
||||
"Code Editor Untrusted or Unsigned Child Process Execution",
|
||||
"Suspicious Credential Access via GenAI Tool",
|
||||
|
||||
+3
-3
@@ -3,7 +3,7 @@ creation_date = "2026/03/31"
|
||||
maturity = "production"
|
||||
min_stack_comments = "ES|QL inline stats became generally available in 9.3.0 and MV_INTERSECTION is in preview since 9.3."
|
||||
min_stack_version = "9.3.0"
|
||||
updated_date = "2026/03/31"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -102,7 +102,7 @@ FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* METADATA _id, _versi
|
||||
false
|
||||
)
|
||||
|
||||
| WHERE process.Ext.ancestry IS NOT NULL AND (event.dataset == "endpoint.alerts" OR is_pkg_install)
|
||||
| WHERE process.Ext.ancestry IS NOT NULL AND (data_stream.dataset == "endpoint.alerts" OR is_pkg_install)
|
||||
|
||||
// Capture entity_ids for package install parent processes
|
||||
| EVAL all_entity_id = CASE(is_pkg_install, process.parent.entity_id, "null")
|
||||
@@ -114,7 +114,7 @@ FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* METADATA _id, _versi
|
||||
| EVAL Esql.pkg_ancestor_ids = MV_INTERSECTION(all_pkg_entity_ids, process.Ext.ancestry)
|
||||
|
||||
// Elastic Defend alerts descended from a package install process
|
||||
| WHERE Esql.pkg_ancestor_ids IS NOT NULL AND event.dataset == "endpoint.alerts"
|
||||
| WHERE Esql.pkg_ancestor_ids IS NOT NULL AND data_stream.dataset == "endpoint.alerts"
|
||||
|
||||
| KEEP *
|
||||
'''
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/11/27"
|
||||
integration = ["endpoint", "network_traffic"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -99,7 +99,7 @@ sequence by agent.id with maxspan=5m
|
||||
*/
|
||||
]
|
||||
[file where
|
||||
event.dataset == "endpoint.events.file" and
|
||||
data_stream.dataset == "endpoint.events.file" and
|
||||
event.action in ("creation", "rename") and
|
||||
file.extension in ("php", "phtml", "pht", "php5", "asp", "aspx", "jsp", "jspx", "war", "cgi")
|
||||
/* We can add file.path values here in the future, if telemetry is noisy */
|
||||
|
||||
+3
-3
@@ -2,7 +2,7 @@
|
||||
creation_date = "2026/02/20"
|
||||
integration = ["fortinet_fortigate"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/09"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -35,9 +35,9 @@ type = "eql"
|
||||
|
||||
query = '''
|
||||
sequence by user.name with maxspan=10m
|
||||
[authentication where event.dataset == "fortinet_fortigate.log" and event.action == "login" and event.code in ("0101039426", "0101039427") and
|
||||
[authentication where data_stream.dataset == "fortinet_fortigate.log" and event.action == "login" and event.code in ("0101039426", "0101039427") and
|
||||
user.name != "root"]
|
||||
[any where event.kind == "signal" and kibana.alert.rule.name != null and event.dataset != "fortinet_fortigate.log" and
|
||||
[any where event.kind == "signal" and kibana.alert.rule.name != null and data_stream.dataset != "fortinet_fortigate.log" and
|
||||
kibana.alert.risk_score > 21 and kibana.alert.rule.rule_id != "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e" and user.name != null]
|
||||
'''
|
||||
note = """## Triage and analysis
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/09/14"
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -31,7 +31,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.type:creation and event.module:zoom and event.dataset:zoom.webhook and
|
||||
event.type:creation and event.module:zoom and data_stream.dataset:zoom.webhook and
|
||||
event.action:meeting.created and not zoom.meeting.password:*
|
||||
'''
|
||||
note = """## Triage and analysis
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/11/18"
|
||||
integration = ["endpoint", "panw", "fortinet_fortigate", "suricata"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/11"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -42,22 +42,22 @@ query = '''
|
||||
FROM logs-* metadata _id
|
||||
| WHERE
|
||||
// Elastic Defend Alerts
|
||||
(event.module == "endpoint" and event.dataset == "endpoint.alerts") or
|
||||
(event.module == "endpoint" and data_stream.dataset == "endpoint.alerts") or
|
||||
|
||||
// PANW suspicious events
|
||||
(event.dataset == "panw.panos" and
|
||||
(data_stream.dataset == "panw.panos" and
|
||||
event.action in ("virus_detected", "wildfire_virus_detected", "c2_communication", "spyware_detected", "large_upload", "denied", "exploit_detected")) or
|
||||
|
||||
// Fortigate suspicious events
|
||||
(event.dataset == "fortinet_fortigate.log" and
|
||||
(data_stream.dataset == "fortinet_fortigate.log" and
|
||||
(event.action in ("outbreak-prevention", "infected", "blocked") or message like "backdoor*" or message like "Proxy*" or message like "anomaly*" or message like "P2P*" or message like "misc*" or message like "DNS.Over.HTTPS" or message like "Remote.Access")) or
|
||||
|
||||
// Suricata
|
||||
(event.dataset == "suricata.eve" and message in ("Command and Control Traffic", "Potentially Bad Traffic", "A Network Trojan was detected", "Detection of a Network Scan", "Domain Observed Used for C2 Detected", "Malware Command and Control Activity Detected"))
|
||||
(data_stream.dataset == "suricata.eve" and message in ("Command and Control Traffic", "Potentially Bad Traffic", "A Network Trojan was detected", "Detection of a Network Scan", "Domain Observed Used for C2 Detected", "Malware Command and Control Activity Detected"))
|
||||
|
||||
// extract source.ip from PANW or Fortigate events and host.ip from Elastic Defend alert
|
||||
|eval fw_alert_source_ip = CASE(event.dataset in ("panw.panos", "fortinet_fortigate.log"), source.ip, null),
|
||||
elastic_defend_alert_host_ip = CASE(event.module == "endpoint" and event.dataset == "endpoint.alerts", host.ip, null)
|
||||
|eval fw_alert_source_ip = CASE(data_stream.dataset in ("panw.panos", "fortinet_fortigate.log"), source.ip, null),
|
||||
elastic_defend_alert_host_ip = CASE(event.module == "endpoint" and data_stream.dataset == "endpoint.alerts", host.ip, null)
|
||||
| eval Esql.source_ip = COALESCE(fw_alert_source_ip, elastic_defend_alert_host_ip)
|
||||
| where Esql.source_ip is not null
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/11/19"
|
||||
integration = ["endpoint", "checkpoint_email"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/12/15"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -35,11 +35,11 @@ from logs-endpoint.alerts-*, logs-checkpoint_email.event-* metadata _id
|
||||
// Email or Elastic Defend alerts where user name is populated
|
||||
| where
|
||||
(event.category == "email" and event.kind == "alert" and destination.user.name is not null) or
|
||||
(event.module == "endpoint" and event.dataset == "endpoint.alerts" and user.name is not null)
|
||||
(event.module == "endpoint" and data_stream.dataset == "endpoint.alerts" and user.name is not null)
|
||||
|
||||
// extract target user name from email and endpoint alerts
|
||||
| eval email_alert_target_user_name = CASE(event.category == "email", destination.user.name, null),
|
||||
elastic_defend_alert_user_name = CASE(event.module == "endpoint" and event.dataset == "endpoint.alerts", user.name, null)
|
||||
elastic_defend_alert_user_name = CASE(event.module == "endpoint" and data_stream.dataset == "endpoint.alerts", user.name, null)
|
||||
| eval Esql.target_user_name = COALESCE(email_alert_target_user_name, elastic_defend_alert_user_name)
|
||||
| where Esql.target_user_name is not null
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2022/11/16"
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -32,10 +32,10 @@ from .alerts-security.*
|
||||
Esql.rule_id_distinct_count = COUNT_DISTINCT(kibana.alert.rule.rule_id),
|
||||
Esql.host_id_distinct_count = COUNT_DISTINCT(host.id),
|
||||
Esql.risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score),
|
||||
Esql.event_dataset_distinct_count = COUNT_DISTINCT(event.dataset),
|
||||
Esql.data_stream_dataset_distinct_count = COUNT_DISTINCT(data_stream.dataset),
|
||||
Esql.rule_name_values = VALUES(kibana.alert.rule.name),
|
||||
Esql.risk_score_values = VALUES(kibana.alert.risk_score),
|
||||
Esql.event_dataset_values = VALUES(event.dataset),
|
||||
Esql.data_stream_dataset_values = VALUES(data_stream.dataset),
|
||||
Esql.event_module_values = VALUES(event.module),
|
||||
Esql.process_command_line = VALUES(process.command_line),
|
||||
Esql.host_id_values = VALUES(host.id),
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2026/02/03"
|
||||
maturity = "production"
|
||||
min_stack_comments = "ES|QL COMPLETION command requires Elastic Managed LLM (gp-llm-v2) available in 9.3.0+"
|
||||
min_stack_version = "9.3.0"
|
||||
updated_date = "2026/04/07"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -110,7 +110,7 @@ from .alerts-security.* METADATA _id, _version, _index
|
||||
Esql.host_name_values = VALUES(host.name),
|
||||
Esql.source_ip_values = VALUES(source.ip),
|
||||
Esql.destination_ip_values = VALUES(destination.ip),
|
||||
Esql.event_dataset_values = VALUES(event.dataset),
|
||||
Esql.data_stream_dataset_values = VALUES(data_stream.dataset),
|
||||
Esql.process_executable_values = VALUES(process.executable),
|
||||
Esql.user_email_values = VALUES(user.email),
|
||||
Esql.timestamp_min = MIN(@timestamp),
|
||||
@@ -131,7 +131,7 @@ from .alerts-security.* METADATA _id, _version, _index
|
||||
| eval Esql.hosts_str = COALESCE(MV_CONCAT(Esql.host_name_values, ", "), "unknown")
|
||||
| eval Esql.source_ips_str = COALESCE(MV_CONCAT(TO_STRING(Esql.source_ip_values), ", "), "unknown")
|
||||
| eval Esql.destination_ips_str = COALESCE(MV_CONCAT(TO_STRING(Esql.destination_ip_values), ", "), "unknown")
|
||||
| eval Esql.datasets_str = COALESCE(MV_CONCAT(Esql.event_dataset_values, ", "), "unknown")
|
||||
| eval Esql.datasets_str = COALESCE(MV_CONCAT(Esql.data_stream_dataset_values, ", "), "unknown")
|
||||
| eval Esql.processes_str = COALESCE(MV_CONCAT(Esql.process_executable_values, ", "), "unknown")
|
||||
| eval Esql.users_email_str = COALESCE(MV_CONCAT(Esql.user_email_values, "; "), "n/a")
|
||||
| eval alert_summary = CONCAT("User: ", user.name, " | Email: ", Esql.users_email_str, " | Alerts: ", TO_STRING(Esql.alerts_count), " | Distinct rules: ", TO_STRING(Esql.kibana_alert_rule_name_count_distinct), " | Hosts affected: ", TO_STRING(Esql.host_name_count_distinct), " | Time window: ", Esql.time_window_minutes, " min | Max risk: ", TO_STRING(Esql.kibana_alert_risk_score_max), " | Rules: ", Esql.rules_str, " | Tactics: ", Esql.tactics_str, " | Techniques: ", Esql.techniques_str, " | Hosts: ", Esql.hosts_str, " | Source IPs: ", Esql.source_ips_str, " | Destination IPs: ", Esql.destination_ips_str, " | Data sources: ", Esql.datasets_str, " | Processes: ", Esql.processes_str)
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2025/11/19"
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,7 +28,7 @@ from .alerts-security.* metadata _id
|
||||
// filter for alerts with populated risk score, excluding threat_match rules, deprecated and some other noisy ones.
|
||||
| where kibana.alert.risk_score > 0 and
|
||||
kibana.alert.rule.name IS NOT NULL and
|
||||
host.id is not null and event.dataset is not null and
|
||||
host.id is not null and data_stream.dataset is not null and
|
||||
kibana.alert.rule.type != "threat_match" and
|
||||
// Top noisy influencing rules
|
||||
not kibana.alert.rule.name in ("Agent Spoofing - Mismatched Agent ID", "Compression DLL Loaded by Unusual Process", "Process Termination followed by Deletion", "Suspicious PrintSpooler Service Executable File Creation", "Potential PrintNightmare File Modification") and
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2026/01/12"
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,7 +28,7 @@ from .alerts-security.* metadata _id
|
||||
|
||||
| where kibana.alert.risk_score > 21 and
|
||||
kibana.alert.rule.name IS NOT NULL and
|
||||
host.id is not null and event.dataset is not null and
|
||||
host.id is not null and data_stream.dataset is not null and
|
||||
|
||||
// excluding ML and Threat Match rules as they tend to be noisy
|
||||
not kibana.alert.rule.type in ("threat_match", "machine_learning") and
|
||||
|
||||
+2
-2
@@ -3,7 +3,7 @@ creation_date = "2026/02/19"
|
||||
maturity = "production"
|
||||
min_stack_comments = "ES|QL inline stats became generally available in 9.3.0"
|
||||
min_stack_version = "9.3.0"
|
||||
updated_date = "2026/02/19"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,7 +26,7 @@ type = "esql"
|
||||
|
||||
query = '''
|
||||
from logs-endpoint.alerts-* metadata _id
|
||||
| where event.dataset == "endpoint.alerts" and event.code == "behavior"
|
||||
| where data_stream.dataset == "endpoint.alerts" and event.code == "behavior"
|
||||
| INLINE STATS hosts = COUNT_DISTINCT(host.id) BY rule.name
|
||||
// excludes rules triggering on multiple hosts to reduce potential FPs
|
||||
| where hosts == 1
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2026/01/09"
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -23,7 +23,7 @@ type = "esql"
|
||||
|
||||
query = '''
|
||||
from .alerts-security.*
|
||||
| WHERE event.dataset in ("crowdstrike.alert", "crowdstrike.falcon", "sentinel_one.alert", "sentinel_one.threat", "m365_defender.alert") and
|
||||
| WHERE data_stream.dataset in ("crowdstrike.alert", "crowdstrike.falcon", "sentinel_one.alert", "sentinel_one.threat", "m365_defender.alert") and
|
||||
host.id is not null and kibana.alert.risk_score > 21 and
|
||||
not (event.module == "crowdstrike" and (kibana.alert.rule.name like "* at *" or kibana.alert.rule.name like "* on *" or kibana.alert.rule.name == "EICARTestFileWrittenWin")) and
|
||||
not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """)
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2026/01/22"
|
||||
integration = ["wiz"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/22"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -57,7 +57,7 @@ type = "esql"
|
||||
query = '''
|
||||
FROM logs-wiz.vulnerability-*
|
||||
|
||||
| WHERE event.dataset == "wiz.vulnerability" and event.category == "vulnerability" and
|
||||
| WHERE data_stream.dataset == "wiz.vulnerability" and event.category == "vulnerability" and
|
||||
wiz.vulnerability.vulnerable_asset.name is not null and
|
||||
wiz.vulnerability.vulnerable_asset.id is not null
|
||||
| stats Esql.count_distinct_vuln_id = COUNT_DISTINCT(wiz.vulnerability.id),
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2026/01/07"
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,7 +28,7 @@ FROM .alerts-security.*
|
||||
not kibana.alert.rule.type in ("threat_match", "machine_learning", "new_terms") and
|
||||
not kibana.alert.rule.name like "Deprecated - *" and kibana.alert.rule.name != "My First Rule" and
|
||||
// covered by 7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8
|
||||
event.dataset != "endpoint.alerts" and
|
||||
data_stream.dataset != "endpoint.alerts" and
|
||||
not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """)
|
||||
| STATS Esql.alerts_count = count(*),
|
||||
Esql.first_time_seen = MIN(@timestamp),
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2026/01/21"
|
||||
integration = ["panw"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,7 +26,7 @@ query = '''
|
||||
FROM logs-panw.panos-*, filebeat-* metadata _id
|
||||
|
||||
// exclude Informational and Low severity levels (4 and 5)
|
||||
| where event.dataset == "panw.panos" and TO_INTEGER(event.severity) <= 3 and event.action != "flood_detected"
|
||||
| where data_stream.dataset == "panw.panos" and TO_INTEGER(event.severity) <= 3 and event.action != "flood_detected"
|
||||
|
||||
| STATS Esql.alerts_count = count(*),
|
||||
Esql.first_time_seen = MIN(@timestamp),
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/11/19"
|
||||
integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -116,7 +116,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
|
||||
http.response.status_code,
|
||||
user_agent.original,
|
||||
agent.name,
|
||||
event.dataset,
|
||||
data_stream.dataset,
|
||||
data_stream.namespace
|
||||
|
||||
| stats
|
||||
@@ -130,7 +130,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
|
||||
Esql.url_path_values = values(Esql.url_original_to_lower),
|
||||
Esql.http.response.status_code_values = values(http.response.status_code),
|
||||
Esql.user_agent_original_values = values(user_agent.original),
|
||||
Esql.event_dataset_values = values(event.dataset),
|
||||
Esql.data_stream_dataset_values = values(data_stream.dataset),
|
||||
Esql.data_stream_namespace_values = values(data_stream.namespace),
|
||||
|
||||
// Rule Specific fields
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/11/19"
|
||||
integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/19"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -73,7 +73,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
|
||||
|
||||
| keep
|
||||
@timestamp,
|
||||
event.dataset,
|
||||
data_stream.dataset,
|
||||
http.request.method,
|
||||
http.response.status_code,
|
||||
source.ip,
|
||||
@@ -90,7 +90,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
|
||||
Esql.http_request_method_values = values(http.request.method),
|
||||
Esql.http_response_status_code_values = values(http.response.status_code),
|
||||
Esql.url_original_values = values(Esql.url_original_to_lower),
|
||||
Esql.event_dataset_values = values(event.dataset),
|
||||
Esql.data_stream_dataset_values = values(data_stream.dataset),
|
||||
Esql.data_stream_namespace_values = values(data_stream.namespace)
|
||||
by source.ip
|
||||
| where
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/11/19"
|
||||
integration = ["nginx", "apache", "apache_tomcat", "iis"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/12/05"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -68,7 +68,7 @@ from logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, logs-i
|
||||
| keep
|
||||
@timestamp,
|
||||
event.type,
|
||||
event.dataset,
|
||||
data_stream.dataset,
|
||||
source.ip,
|
||||
agent.id,
|
||||
host.name,
|
||||
@@ -79,7 +79,7 @@ from logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, logs-i
|
||||
Esql.event_count = count(),
|
||||
Esql.host_name_values = values(host.name),
|
||||
Esql.agent_id_values = values(agent.id),
|
||||
Esql.event_dataset_values = values(event.dataset),
|
||||
Esql.data_stream_dataset_values = values(data_stream.dataset),
|
||||
Esql.data_stream_namespace_values = values(data_stream.namespace)
|
||||
by source.ip, agent.id
|
||||
| where
|
||||
|
||||
+3
-3
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/11/19"
|
||||
integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/19"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -79,7 +79,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
|
||||
|
||||
| keep
|
||||
@timestamp,
|
||||
event.dataset,
|
||||
data_stream.dataset,
|
||||
http.request.method,
|
||||
http.response.status_code,
|
||||
source.ip,
|
||||
@@ -97,7 +97,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
|
||||
Esql.http_request_method_values = values(http.request.method),
|
||||
Esql.http_response_status_code_values = values(http.response.status_code),
|
||||
Esql.url_path_values = values(Esql.url_original_to_lower),
|
||||
Esql.event_dataset_values = values(event.dataset),
|
||||
Esql.data_stream_dataset_values = values(data_stream.dataset),
|
||||
Esql.data_stream_namespace_values = values(data_stream.namespace)
|
||||
by source.ip, agent.id
|
||||
| where
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/11/19"
|
||||
integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/19"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -96,7 +96,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
|
||||
|
||||
| keep
|
||||
@timestamp,
|
||||
event.dataset,
|
||||
data_stream.dataset,
|
||||
user_agent.original,
|
||||
source.ip,
|
||||
agent.id,
|
||||
@@ -111,7 +111,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
|
||||
Esql.agent_id_values = values(agent.id),
|
||||
Esql.url_original_values = values(Esql.url_original_to_lower),
|
||||
Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower),
|
||||
Esql.event_dataset_values = values(event.dataset),
|
||||
Esql.data_stream_dataset_values = values(data_stream.dataset),
|
||||
Esql.data_stream_namespace_values = values(data_stream.namespace)
|
||||
by source.ip, agent.id
|
||||
| where
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/06/10"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -82,7 +82,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "cloudtrail.amazonaws.com"
|
||||
and event.action: "CreateTrail"
|
||||
and event.outcome: "success"
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/12/17"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -105,7 +105,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "s3.amazonaws.com"
|
||||
and event.action: (
|
||||
"GetObject" or
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/04/10"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -70,7 +70,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset:"aws.cloudtrail"
|
||||
data_stream.dataset:"aws.cloudtrail"
|
||||
and event.provider:"ec2.amazonaws.com" and event.action:"GetPasswordData"
|
||||
and aws.cloudtrail.user_identity.type:"AssumedRole" and aws.cloudtrail.error_code:"Client.UnauthorizedOperation"
|
||||
'''
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/07/20"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -70,7 +70,7 @@ timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
iam where event.dataset == "aws.cloudtrail"
|
||||
iam where data_stream.dataset == "aws.cloudtrail"
|
||||
and event.action == "AttachUserPolicy"
|
||||
and event.outcome == "success"
|
||||
and stringContains(aws.cloudtrail.request_parameters, "AWSCompromisedKeyQuarantine")
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2026/04/06"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/04/06"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -85,7 +85,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.outcome: "success"
|
||||
and source.ip:*
|
||||
and aws.cloudtrail.user_identity.access_key_id: AKIA*
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/06/04"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -87,7 +87,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail and
|
||||
data_stream.dataset: aws.cloudtrail and
|
||||
event.provider: iam.amazonaws.com and
|
||||
event.action: AddUserToGroup and
|
||||
event.outcome: success
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/07/06"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Nick Jones", "Elastic"]
|
||||
@@ -94,7 +94,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail
|
||||
data_stream.dataset: aws.cloudtrail
|
||||
and event.provider: secretsmanager.amazonaws.com
|
||||
and event.action: GetSecretValue
|
||||
and event.outcome: success
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/04/11"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -117,7 +117,7 @@ timestamp_override = "event.ingested"
|
||||
type = "threshold"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "secretsmanager.amazonaws.com"
|
||||
and event.action: "GetSecretValue"
|
||||
and event.outcome: "success"
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/04/12"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -74,7 +74,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail
|
||||
data_stream.dataset: aws.cloudtrail
|
||||
and event.provider: "ssm.amazonaws.com"
|
||||
and event.action: (GetParameters or GetParameter)
|
||||
and event.outcome: success
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/07/21"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -118,7 +118,7 @@ timestamp_override = "event.ingested"
|
||||
type = "threshold"
|
||||
|
||||
query = '''
|
||||
event.dataset:aws.cloudtrail and
|
||||
data_stream.dataset:aws.cloudtrail and
|
||||
event.provider:signin.amazonaws.com and
|
||||
event.action:ConsoleLogin and
|
||||
aws.cloudtrail.user_identity.type:Root and
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/05/26"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -73,7 +73,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "cloudtrail.amazonaws.com"
|
||||
and event.action: "DeleteTrail"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/06/10"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -85,7 +85,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail and event.provider: iam.amazonaws.com and aws.cloudtrail.flattened.request_parameters.reason: "requestParameters too large" and aws.cloudtrail.flattened.request_parameters.omitted : true and event.outcome: success
|
||||
data_stream.dataset: aws.cloudtrail and event.provider: iam.amazonaws.com and aws.cloudtrail.flattened.request_parameters.reason: "requestParameters too large" and aws.cloudtrail.flattened.request_parameters.omitted : true and event.outcome: success
|
||||
'''
|
||||
|
||||
[rule.investigation_fields]
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/06/10"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -74,7 +74,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "cloudtrail.amazonaws.com"
|
||||
and event.action: "StopLogging"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/06/15"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -119,7 +119,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "monitoring.amazonaws.com"
|
||||
and event.action: "DeleteAlarms"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/06/26"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Austin Songer"]
|
||||
@@ -117,7 +117,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail
|
||||
data_stream.dataset: aws.cloudtrail
|
||||
and event.provider: config.amazonaws.com
|
||||
and event.outcome: success
|
||||
and event.action: (DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/06/16"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -100,7 +100,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail
|
||||
data_stream.dataset: aws.cloudtrail
|
||||
and event.provider: config.amazonaws.com
|
||||
and event.action: StopConfigurationRecorder
|
||||
and event.outcome: success
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/06/15"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/06/05"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -89,7 +89,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success
|
||||
data_stream.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success
|
||||
'''
|
||||
|
||||
[rule.investigation_fields]
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/05/26"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -78,7 +78,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success
|
||||
data_stream.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success
|
||||
'''
|
||||
[rule.investigation_fields]
|
||||
field_names = [
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2026/02/05"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -107,7 +107,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "ec2.amazonaws.com"
|
||||
and event.action: "EnableSerialConsoleAccess"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/05/28"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -105,7 +105,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail
|
||||
data_stream.dataset: aws.cloudtrail
|
||||
and event.provider: guardduty.amazonaws.com
|
||||
and event.action: DeleteDetector
|
||||
and event.outcome: success
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2026/02/05"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/05"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -117,7 +117,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "guardduty.amazonaws.com"
|
||||
and event.action: (
|
||||
"DisassociateFromAdministratorAccount" or
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/06/29"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Austin Songer", "Elastic"]
|
||||
@@ -144,7 +144,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "rds.amazonaws.com"
|
||||
and event.action: ("RestoreDBInstanceFromDBSnapshot" or "RestoreDBInstanceFromS3")
|
||||
and event.outcome: "success"
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/04/12"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -109,7 +109,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail
|
||||
data_stream.dataset: aws.cloudtrail
|
||||
and event.provider: route53resolver.amazonaws.com
|
||||
and event.action: DeleteResolverQueryLogConfig
|
||||
and event.outcome: success
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/05/27"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -109,7 +109,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:aws.cloudtrail and
|
||||
data_stream.dataset:aws.cloudtrail and
|
||||
event.provider:s3.amazonaws.com and
|
||||
event.action:(DeleteBucketPolicy or
|
||||
DeleteBucketReplication or
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/04/12"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -131,7 +131,7 @@ timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
info where event.dataset == "aws.cloudtrail"
|
||||
info where data_stream.dataset == "aws.cloudtrail"
|
||||
and event.action == "PutBucketLifecycle"
|
||||
and event.outcome == "success"
|
||||
and stringContains(aws.cloudtrail.request_parameters, "Expiration=")
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/07/12"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -103,7 +103,7 @@ timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
info where event.dataset == "aws.cloudtrail"
|
||||
info where data_stream.dataset == "aws.cloudtrail"
|
||||
and event.provider == "s3.amazonaws.com"
|
||||
and event.action == "PutBucketLogging"
|
||||
and event.outcome == "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/01/08"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -90,7 +90,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "sqs.amazonaws.com"
|
||||
and event.action: "PurgeQueue"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/08/19"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -37,7 +37,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider:sts.amazonaws.com
|
||||
and event.action:GetFederationToken
|
||||
and event.outcome:success
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/04/16"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -74,7 +74,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: ec2.amazonaws.com
|
||||
and event.action: AuthorizeSecurityGroupIngress
|
||||
and event.outcome: success
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/05/21"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -151,7 +151,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail
|
||||
data_stream.dataset: aws.cloudtrail
|
||||
and event.provider: (waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com)
|
||||
and event.action: DeleteWebACL
|
||||
and event.outcome: success
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/06/09"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -130,7 +130,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail
|
||||
data_stream.dataset: aws.cloudtrail
|
||||
and event.provider: (waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com)
|
||||
and event.action: (DeleteRule or DeleteRuleGroup)
|
||||
and event.outcome: success
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/12/24"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -104,7 +104,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "ec2.amazonaws.com"
|
||||
and event.action: "DescribeImages"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/04/14"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/12/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -83,7 +83,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "ec2.amazonaws.com"
|
||||
and event.action: "DescribeInstanceAttribute"
|
||||
and event.outcome: "success"
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/07/16"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -105,7 +105,7 @@ timestamp_override = "event.ingested"
|
||||
type = "threshold"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "iam.amazonaws.com"
|
||||
and event.action: "UpdateAssumeRolePolicy"
|
||||
and aws.cloudtrail.error_code: "MalformedPolicyDocumentException"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["aws"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0"
|
||||
min_stack_version = "9.2.0"
|
||||
updated_date = "2026/04/01"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -142,7 +142,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
|
||||
| eval Esql.time_window_date_trunc = date_trunc(10 seconds, @timestamp)
|
||||
|
||||
| where
|
||||
event.dataset == "aws.cloudtrail"
|
||||
data_stream.dataset == "aws.cloudtrail"
|
||||
|
||||
// exclude service account and console behavior
|
||||
and source.ip IS NOT NULL
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/05/24"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -92,7 +92,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "sts.amazonaws.com"
|
||||
and event.action: "GetCallerIdentity"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2026/04/01"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/04/01"
|
||||
updated_date = "2026/04/10"
|
||||
min_stack_version = "9.2.0"
|
||||
min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0"
|
||||
|
||||
@@ -85,7 +85,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.outcome: "success"
|
||||
and source.ip:*
|
||||
and not aws.cloudtrail.session_credential_from_console: "true"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["aws"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0"
|
||||
min_stack_version = "9.2.0"
|
||||
updated_date = "2026/04/02"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -107,7 +107,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
|
||||
| eval Esql.time_window_date_trunc = date_trunc(10 seconds, @timestamp)
|
||||
|
||||
| where
|
||||
event.dataset == "aws.cloudtrail"
|
||||
data_stream.dataset == "aws.cloudtrail"
|
||||
and event.provider == "s3.amazonaws.com"
|
||||
and event.outcome == "success"
|
||||
and event.action in (
|
||||
|
||||
+2
-2
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2024/08/26"
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -91,7 +91,7 @@ from logs-aws.cloudtrail-* METADATA _id, _version, _index
|
||||
|
||||
// filter for GetServiceQuota API calls
|
||||
| where
|
||||
event.dataset == "aws.cloudtrail"
|
||||
data_stream.dataset == "aws.cloudtrail"
|
||||
and event.provider == "servicequotas.amazonaws.com"
|
||||
and event.action == "GetServiceQuota"
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2026/02/11"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -95,7 +95,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "ssm.amazonaws.com"
|
||||
and (
|
||||
event.action: ("GetInventory" or "GetInventorySchema" or "ListInventoryEntries" or "DescribeInstancePatches" or "ListCommands")
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2026/03/12"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -95,7 +95,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "cloudshell.amazonaws.com"
|
||||
and event.action: "CreateEnvironment"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/04/30"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -98,7 +98,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail
|
||||
data_stream.dataset: aws.cloudtrail
|
||||
and event.provider: lambda.amazonaws.com
|
||||
and event.outcome: success
|
||||
and event.action: (PublishLayerVersion* or UpdateFunctionConfiguration*)
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/07/25"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -41,7 +41,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and
|
||||
data_stream.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and
|
||||
event.action: (CreateStack or CreateStackInstances)
|
||||
and event.outcome:success
|
||||
'''
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/11/01"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/06/25"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -73,7 +73,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "ssm.amazonaws.com"
|
||||
and event.action: "CreateDocument"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/07/06"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/07/10"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -87,7 +87,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "ssm.amazonaws.com"
|
||||
and event.action: "SendCommand"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/03/13"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -73,7 +73,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "dynamodb.amazonaws.com"
|
||||
and event.action: "Scan"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/03/13"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -64,7 +64,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "dynamodb.amazonaws.com"
|
||||
and event.action: "ExportTableToPointInTime"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/04/16"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/07/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -78,7 +78,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
|
||||
data_stream.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
|
||||
and event.action: ModifyImageAttribute and event.outcome: success
|
||||
and aws.cloudtrail.request_parameters: *add=*
|
||||
and not aws.cloudtrail.user_identity.invoked_by: "assets.marketplace.amazonaws.com"
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/04/16"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -113,7 +113,7 @@ timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
info where event.dataset == "aws.cloudtrail"
|
||||
info where data_stream.dataset == "aws.cloudtrail"
|
||||
and event.action == "ModifySnapshotAttribute"
|
||||
and event.outcome == "success"
|
||||
and stringContains (aws.cloudtrail.request_parameters, "attributeType=CREATE_VOLUME_PERMISSION")
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/10/23"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -91,7 +91,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail" and
|
||||
data_stream.dataset: "aws.cloudtrail" and
|
||||
event.provider: "ec2.amazonaws.com" and
|
||||
event.action: ("CreateInstanceExportTask" or "ExportImage" or "CreateStoreImageTask") and
|
||||
event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/05/05"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Austin Songer"]
|
||||
@@ -113,7 +113,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail" and
|
||||
data_stream.dataset: "aws.cloudtrail" and
|
||||
event.provider: "ec2.amazonaws.com" and
|
||||
event.action: "CreateTrafficMirrorSession" and
|
||||
event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/06/06"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Austin Songer"]
|
||||
@@ -141,7 +141,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail
|
||||
data_stream.dataset: aws.cloudtrail
|
||||
and event.provider: rds.amazonaws.com
|
||||
and event.action: StartExportTask
|
||||
and event.outcome: success
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/06/25"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -133,7 +133,7 @@ timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
info where event.dataset == "aws.cloudtrail"
|
||||
info where data_stream.dataset == "aws.cloudtrail"
|
||||
and event.provider == "rds.amazonaws.com"
|
||||
and event.outcome == "success"
|
||||
and event.action in ("ModifyDBSnapshotAttribute", "ModifyDBClusterSnapshotAttribute")
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/04/17"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -130,7 +130,7 @@ timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
info where event.dataset == "aws.cloudtrail"
|
||||
info where data_stream.dataset == "aws.cloudtrail"
|
||||
and event.provider == "s3.amazonaws.com"
|
||||
and event.action == "PutBucketPolicy"
|
||||
and event.outcome == "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/10/30"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/16"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -129,7 +129,7 @@ timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
info where event.dataset == "aws.cloudtrail"
|
||||
info where data_stream.dataset == "aws.cloudtrail"
|
||||
and event.provider == "s3.amazonaws.com"
|
||||
and event.action == "PutBucketPolicy"
|
||||
and event.outcome == "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/07/12"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -139,7 +139,7 @@ timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
info where event.dataset == "aws.cloudtrail"
|
||||
info where data_stream.dataset == "aws.cloudtrail"
|
||||
and event.action == "PutBucketReplication"
|
||||
and event.outcome == "success"
|
||||
and stringContains(aws.cloudtrail.request_parameters, "Account=")
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2026/02/09"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -101,7 +101,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and user_agent.original: (*S3 Browser* or *Cyberduck*)
|
||||
and event.outcome: "success"
|
||||
'''
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/11/01"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -79,7 +79,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "sns.amazonaws.com"
|
||||
and event.action: "Subscribe"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/10/17"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Austin Songer", "Elastic"]
|
||||
@@ -112,7 +112,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: aws.cloudtrail
|
||||
data_stream.dataset: aws.cloudtrail
|
||||
and event.provider: events.amazonaws.com
|
||||
and event.action: (DeleteRule or DisableRule)
|
||||
and event.outcome: success
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/05/01"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -95,7 +95,7 @@ timestamp_override = "event.ingested"
|
||||
type = "threshold"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail" and
|
||||
data_stream.dataset: "aws.cloudtrail" and
|
||||
event.provider : "s3.amazonaws.com" and
|
||||
aws.cloudtrail.error_code : "AccessDenied" and
|
||||
tls.client.server_name : *
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/06/10"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -78,7 +78,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "cloudtrail.amazonaws.com"
|
||||
and event.action: "UpdateTrail"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/05/18"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -140,7 +140,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "logs.amazonaws.com"
|
||||
and event.action: "DeleteLogGroup"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/05/20"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -127,7 +127,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "logs.amazonaws.com"
|
||||
and event.action: "DeleteLogStream"
|
||||
and event.outcome: "success"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/06/05"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -119,7 +119,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success
|
||||
data_stream.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/06/02"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/03/24"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -106,7 +106,7 @@ timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
info where event.dataset == "aws.cloudtrail"
|
||||
info where data_stream.dataset == "aws.cloudtrail"
|
||||
and event.action == "ModifySnapshotAttribute"
|
||||
and event.outcome == "success"
|
||||
and stringContains (aws.cloudtrail.request_parameters, "attributeType=CREATE_VOLUME_PERMISSION")
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/08/27"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/01/21"
|
||||
updated_date = "2026/04/10"
|
||||
|
||||
[rule]
|
||||
author = ["Austin Songer", "Elastic"]
|
||||
@@ -132,7 +132,7 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
data_stream.dataset: "aws.cloudtrail"
|
||||
and event.provider: "elasticfilesystem.amazonaws.com"
|
||||
and event.action: "DeleteFileSystem"
|
||||
and event.outcome: "success"
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user