diff --git a/rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml b/rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml index 1c1a7132b..4abf48c2e 100644 --- a/rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml +++ b/rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/17" integration = ["endpoint", "fortinet_fortigate"] maturity = "production" -updated_date = "2026/02/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ tags = [ type = "eql" query = ''' sequence by source.port, source.ip, destination.ip with maxspan=1m - [network where event.dataset == "fortinet_fortigate.log" and event.action == "signature" and network.application in ("SOCKS4", "SOCKS5")] + [network where data_stream.dataset == "fortinet_fortigate.log" and event.action == "signature" and network.application in ("SOCKS4", "SOCKS5")] [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")] ''' note = """## Triage and analysis diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 46c2d3682..fabaab110 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/10" integration = ["endpoint", "suricata"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ tags = [ type = "eql" query = ''' sequence by source.port, source.ip, destination.ip with maxspan=5s - [network where event.dataset == "suricata.eve" and event.kind == "alert" and + [network where data_stream.dataset == "suricata.eve" and event.kind == "alert" and event.severity != 3 and source.ip != null and destination.ip != null and not source.domain : ("*nessusscan*", "SCCMPS*") and not rule.name in ("ET INFO SMB2 NT Create AndX Request For a Powershell .ps1 File", "ET SCAN MS Terminal Server Traffic on Non-standard Port")] diff --git a/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml b/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml index a8745d159..561b97857 100644 --- a/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml +++ b/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/01" integration = ["aws", "gcp", "azure", "kubernetes"] maturity = "production" -updated_date = "2026/03/26" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -126,26 +126,26 @@ FROM logs-azure.platformlogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-*, logs-ku | WHERE ( /* AWS Secrets Manager */ - (event.dataset == "aws.cloudtrail" AND event.action == "GetSecretValue") OR + (data_stream.dataset == "aws.cloudtrail" AND event.action == "GetSecretValue") OR // Azure Key Vault (platform logs) - (event.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or + (data_stream.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or /* Google Secret Manager */ - (event.dataset IN ("googlecloud.audit", "gcp.audit") AND + (data_stream.dataset IN ("googlecloud.audit", "gcp.audit") AND event.action IN ("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest")) OR /* Kubernetes Secrets */ - (event.dataset == "kubernetes.audit_logs" AND kubernetes.audit.objectRef.resource == "secrets" AND kubernetes.audit.verb IN ("get", "list")) + (data_stream.dataset == "kubernetes.audit_logs" AND kubernetes.audit.objectRef.resource == "secrets" AND kubernetes.audit.verb IN ("get", "list")) ) AND source.ip IS NOT NULL // Cloud vendor label based on dataset | EVAL Esql.cloud_vendor = CASE( - event.dataset == "aws.cloudtrail", "aws", - event.dataset == "azure.platformlogs", "azure", - event.dataset IN ("googlecloud.audit","gcp.audit"), "gcp", - event.dataset == "kubernetes.audit_logs", "k8s", + data_stream.dataset == "aws.cloudtrail", "aws", + data_stream.dataset == "azure.platformlogs", "azure", + data_stream.dataset IN ("googlecloud.audit","gcp.audit"), "gcp", + data_stream.dataset == "kubernetes.audit_logs", "k8s", "unknown" ) // Vendor+tenant label, e.g. aws:123456789012, azure:tenant, gcp:project @@ -163,7 +163,7 @@ FROM logs-azure.platformlogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-*, logs-ku Esql.vendor_count_distinct = COUNT_DISTINCT(Esql.cloud_vendor), // Action & data source context Esql.event_action_values = VALUES(event.action), - Esql.data_source_values = VALUES(event.dataset), + Esql.data_source_values = VALUES(data_stream.dataset), // Cloud vendor + tenant context Esql.cloud_vendor_values = VALUES(Esql.cloud_vendor), Esql.tenant_label_values = VALUES(Esql.tenant_label), diff --git a/rules/cross-platform/defense_evasion_missing_events_after_alert.toml b/rules/cross-platform/defense_evasion_missing_events_after_alert.toml index 4b53205e0..3adc5bdf9 100644 --- a/rules/cross-platform/defense_evasion_missing_events_after_alert.toml +++ b/rules/cross-platform/defense_evasion_missing_events_after_alert.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/10" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/09" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ type = "eql" query = ''' sequence by host.id with maxspan=5m - [any where event.dataset == "endpoint.alerts"] + [any where data_stream.dataset == "endpoint.alerts"] ![any where event.category in ("process", "library", "registry", "network", "dns", "file")] ''' diff --git a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml index af0064871..4fd4faa1d 100644 --- a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml +++ b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml @@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -144,7 +144,7 @@ from agent.name, http.request.method, http.response.status_code, - event.dataset, + data_stream.dataset, data_stream.namespace | stats @@ -155,7 +155,7 @@ from Esql.http_request_method_values = values(http.request.method), Esql.http_response_status_code_values = values(http.response.status_code), Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by source.ip ''' diff --git a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml index ad5487a6d..e529df449 100644 --- a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml +++ b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml @@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -97,7 +97,7 @@ from agent.name, http.request.method, http.response.status_code, - event.dataset, + data_stream.dataset, data_stream.namespace | stats @@ -108,7 +108,7 @@ from Esql.http_request_method_values = values(http.request.method), Esql.http_response_status_code_values = values(http.response.status_code), Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by source.ip ''' diff --git a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml index 59a2cdf48..87510f9c3 100644 --- a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml +++ b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/23" integration = ["aws", "endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -101,14 +101,14 @@ FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version | WHERE // CloudTrail SSM SendCommand with AWS-RunShellScript ( - event.dataset == "aws.cloudtrail" + data_stream.dataset == "aws.cloudtrail" AND event.action == "SendCommand" AND aws.cloudtrail.request_parameters LIKE "*documentName=AWS-RunShellScript*" ) // Linux endpoint process events, prefiltered to SSM shell runner OR LOLBins/GTFOBins OR ( - event.dataset == "endpoint.events.process" + data_stream.dataset == "endpoint.events.process" AND host.os.type == "linux" AND ( // SSM shell (_script.sh) runner @@ -149,8 +149,8 @@ FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version | WHERE Esql.aws_ssm_command_id IS NOT NULL // Role flags -| EVAL Esql.is_cloud_event = event.dataset == "aws.cloudtrail" -| EVAL Esql.is_endpoint_event = event.dataset == "endpoint.events.process" +| EVAL Esql.is_cloud_event = data_stream.dataset == "aws.cloudtrail" +| EVAL Esql.is_endpoint_event = data_stream.dataset == "endpoint.events.process" // Identify the SSM shell processes (the _script.sh runners) | EVAL Esql.is_ssm_shell_process = diff --git a/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml index 807903bc5..708d1d05a 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -105,7 +105,7 @@ sequence with maxspan=1s ) ) and process.interactive == true and container.id like "*" ] by orchestrator.resource.name - [any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` + [any where data_stream.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` ''' [[rule.threat]] diff --git a/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml b/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml index 25b202793..c4fee6e51 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -107,7 +107,7 @@ sequence with maxspan=1s ) ) and process.interactive == true and container.id like "*" ] by orchestrator.resource.name - [any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted") and + [any where data_stream.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted") and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid" ] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` ''' diff --git a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml index 677413701..dc3e15d67 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -113,7 +113,7 @@ sequence with maxspan=1s ) )] by orchestrator.resource.name [any where - event.dataset == "kubernetes.audit_logs" and + data_stream.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseStarted","ResponseComplete") and kubernetes.audit.verb in ("get", "list", "watch", "create", "patch", "update") and ( diff --git a/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml b/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml index fc91b794a..a0a050a16 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ sequence with maxspan=60s [file where host.os.type == "linux" and event.type == "change" and event.action == "open" and file.path in ("/var/run/secrets/kubernetes.io/serviceaccount/token", "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt") and process.interactive == true and container.id like "*"] by orchestrator.resource.name - [any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` + [any where data_stream.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name` ''' [[rule.threat]] diff --git a/rules/cross-platform/execution_suspicious_python_command_execution.toml b/rules/cross-platform/execution_suspicious_python_command_execution.toml index 8924fef08..487a3d780 100644 --- a/rules/cross-platform/execution_suspicious_python_command_execution.toml +++ b/rules/cross-platform/execution_suspicious_python_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/04/06" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -98,7 +98,7 @@ FROM logs-endpoint.events.process-* METADATA _id, _version, _index process.parent.entity_id, agent.id, host.name, - event.dataset, + data_stream.dataset, data_stream.namespace | STATS @@ -107,7 +107,7 @@ FROM logs-endpoint.events.process-* METADATA _id, _version, _index Esql.process_command_line_values = VALUES(process.command_line), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) BY process.parent.entity_id, agent.id, host.name, Esql.time_window_date_trunc diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml index 0c42ed107..7c1ee72b4 100644 --- a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml +++ b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.* | where @timestamp > now() - 8 hours // filter for azure or m365 sign-in and external alerts with source.ip not null | where to_ip(source.ip) is not null - and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa") + and (data_stream.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa") and not cidr_match( to_ip(source.ip), "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", @@ -93,13 +93,13 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.* ) // capture relevant raw fields -| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.rule_id, event.category +| keep source.ip, event.action, event.outcome, data_stream.dataset, kibana.alert.rule.rule_id, event.category // classify each source ip based on alert type | eval - Esql.source_ip_mail_access_case = case(event.dataset == "o365.audit" and event.action == "MailItemsAccessed" and event.outcome == "success", to_ip(source.ip), null), - Esql.source_ip_azure_signin_case = case(event.dataset == "azure.signinlogs" and event.outcome == "success", to_ip(source.ip), null), - Esql.source_ip_network_alert_case = case(kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa" and not event.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null) + Esql.source_ip_mail_access_case = case(data_stream.dataset == "o365.audit" and event.action == "MailItemsAccessed" and event.outcome == "success", to_ip(source.ip), null), + Esql.source_ip_azure_signin_case = case(data_stream.dataset == "azure.signinlogs" and event.outcome == "success", to_ip(source.ip), null), + Esql.source_ip_network_alert_case = case(kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa" and not data_stream.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null) // aggregate by source ip | stats @@ -107,8 +107,8 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.* Esql.source_ip_mail_access_case_count_distinct = count_distinct(Esql.source_ip_mail_access_case), Esql.source_ip_azure_signin_case_count_distinct = count_distinct(Esql.source_ip_azure_signin_case), Esql.source_ip_network_alert_case_count_distinct = count_distinct(Esql.source_ip_network_alert_case), - Esql.event_dataset_count_distinct = count_distinct(event.dataset), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_count_distinct = count_distinct(data_stream.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.kibana_alert_rule_id_values = values(kibana.alert.rule.rule_id), Esql.event_category_values = values(event.category) by Esql.source_ip = to_ip(source.ip) @@ -116,7 +116,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.* // correlation condition | where Esql.source_ip_network_alert_case_count_distinct > 0 - and Esql.event_dataset_count_distinct >= 2 + and Esql.data_stream_dataset_count_distinct >= 2 and (Esql.source_ip_mail_access_case_count_distinct > 0 or Esql.source_ip_azure_signin_case_count_distinct > 0) and Esql.event_count <= 100 ''' diff --git a/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml b/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml index 9bf079851..bc8d6bd62 100644 --- a/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml +++ b/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml @@ -3,7 +3,7 @@ creation_date = "2026/02/27" maturity = "production" min_stack_comments = "ES|QL inline stats became generally available in 9.3.0 and MV_INTERSECTION is in preview since 9.3." min_stack_version = "9.3.0" -updated_date = "2026/02/27" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* metadata _id, _versi ), is_openclaw_spawn = process.parent.name in ("node", "node.exe") and (process.parent.command_line like "*openclaw*" or process.parent.command_line like "*moltbot*" or process.parent.command_line like "*clawdbot*") | WHERE process.Ext.ancestry IS NOT NULL and - (event.dataset == "endpoint.alerts" or is_genai_spawn or is_openclaw_spawn) + (data_stream.dataset == "endpoint.alerts" or is_genai_spawn or is_openclaw_spawn) // Identify GenAI tool spawn events and capture their entity_ids | EVAL genai_entity_id = CASE(is_genai_spawn or is_openclaw_spawn, process.parent.entity_id, NULL) @@ -86,7 +86,7 @@ FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* metadata _id, _versi // Elastic Defend alerts from a GenAI grandparent | WHERE Esql.genai_ancestor_ids IS NOT NULL - AND event.dataset == "endpoint.alerts" AND not rule.name in ( + AND data_stream.dataset == "endpoint.alerts" AND not rule.name in ( "Persistence via GenAI Tool", "Code Editor Untrusted or Unsigned Child Process Execution", "Suspicious Credential Access via GenAI Tool", diff --git a/rules/cross-platform/initial_access_elastic_defend_alert_package_manager_ancestor.toml b/rules/cross-platform/initial_access_elastic_defend_alert_package_manager_ancestor.toml index 79d045f28..f0be32aa4 100644 --- a/rules/cross-platform/initial_access_elastic_defend_alert_package_manager_ancestor.toml +++ b/rules/cross-platform/initial_access_elastic_defend_alert_package_manager_ancestor.toml @@ -3,7 +3,7 @@ creation_date = "2026/03/31" maturity = "production" min_stack_comments = "ES|QL inline stats became generally available in 9.3.0 and MV_INTERSECTION is in preview since 9.3." min_stack_version = "9.3.0" -updated_date = "2026/03/31" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -102,7 +102,7 @@ FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* METADATA _id, _versi false ) -| WHERE process.Ext.ancestry IS NOT NULL AND (event.dataset == "endpoint.alerts" OR is_pkg_install) +| WHERE process.Ext.ancestry IS NOT NULL AND (data_stream.dataset == "endpoint.alerts" OR is_pkg_install) // Capture entity_ids for package install parent processes | EVAL all_entity_id = CASE(is_pkg_install, process.parent.entity_id, "null") @@ -114,7 +114,7 @@ FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* METADATA _id, _versi | EVAL Esql.pkg_ancestor_ids = MV_INTERSECTION(all_pkg_entity_ids, process.Ext.ancestry) // Elastic Defend alerts descended from a package install process -| WHERE Esql.pkg_ancestor_ids IS NOT NULL AND event.dataset == "endpoint.alerts" +| WHERE Esql.pkg_ancestor_ids IS NOT NULL AND data_stream.dataset == "endpoint.alerts" | KEEP * ''' diff --git a/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml b/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml index 9d7045d81..add3b9b39 100644 --- a/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml +++ b/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -99,7 +99,7 @@ sequence by agent.id with maxspan=5m */ ] [file where - event.dataset == "endpoint.events.file" and + data_stream.dataset == "endpoint.events.file" and event.action in ("creation", "rename") and file.extension in ("php", "phtml", "pht", "php5", "asp", "aspx", "jsp", "jspx", "war", "cgi") /* We can add file.path values here in the future, if telemetry is noisy */ diff --git a/rules/cross-platform/initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml b/rules/cross-platform/initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml index 1b1b73047..8c9878a6c 100644 --- a/rules/cross-platform/initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml +++ b/rules/cross-platform/initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/03/09" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -35,9 +35,9 @@ type = "eql" query = ''' sequence by user.name with maxspan=10m - [authentication where event.dataset == "fortinet_fortigate.log" and event.action == "login" and event.code in ("0101039426", "0101039427") and + [authentication where data_stream.dataset == "fortinet_fortigate.log" and event.action == "login" and event.code in ("0101039426", "0101039427") and user.name != "root"] - [any where event.kind == "signal" and kibana.alert.rule.name != null and event.dataset != "fortinet_fortigate.log" and + [any where event.kind == "signal" and kibana.alert.rule.name != null and data_stream.dataset != "fortinet_fortigate.log" and kibana.alert.risk_score > 21 and kibana.alert.rule.rule_id != "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e" and user.name != null] ''' note = """## Triage and analysis diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index 8227fb80b..30df174be 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.type:creation and event.module:zoom and event.dataset:zoom.webhook and +event.type:creation and event.module:zoom and data_stream.dataset:zoom.webhook and event.action:meeting.created and not zoom.meeting.password:* ''' note = """## Triage and analysis diff --git a/rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml b/rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml index c4182d609..6de8ae3c2 100644 --- a/rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml +++ b/rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/18" integration = ["endpoint", "panw", "fortinet_fortigate", "suricata"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -42,22 +42,22 @@ query = ''' FROM logs-* metadata _id | WHERE // Elastic Defend Alerts - (event.module == "endpoint" and event.dataset == "endpoint.alerts") or + (event.module == "endpoint" and data_stream.dataset == "endpoint.alerts") or // PANW suspicious events - (event.dataset == "panw.panos" and + (data_stream.dataset == "panw.panos" and event.action in ("virus_detected", "wildfire_virus_detected", "c2_communication", "spyware_detected", "large_upload", "denied", "exploit_detected")) or // Fortigate suspicious events - (event.dataset == "fortinet_fortigate.log" and + (data_stream.dataset == "fortinet_fortigate.log" and (event.action in ("outbreak-prevention", "infected", "blocked") or message like "backdoor*" or message like "Proxy*" or message like "anomaly*" or message like "P2P*" or message like "misc*" or message like "DNS.Over.HTTPS" or message like "Remote.Access")) or // Suricata - (event.dataset == "suricata.eve" and message in ("Command and Control Traffic", "Potentially Bad Traffic", "A Network Trojan was detected", "Detection of a Network Scan", "Domain Observed Used for C2 Detected", "Malware Command and Control Activity Detected")) + (data_stream.dataset == "suricata.eve" and message in ("Command and Control Traffic", "Potentially Bad Traffic", "A Network Trojan was detected", "Detection of a Network Scan", "Domain Observed Used for C2 Detected", "Malware Command and Control Activity Detected")) // extract source.ip from PANW or Fortigate events and host.ip from Elastic Defend alert -|eval fw_alert_source_ip = CASE(event.dataset in ("panw.panos", "fortinet_fortigate.log"), source.ip, null), - elastic_defend_alert_host_ip = CASE(event.module == "endpoint" and event.dataset == "endpoint.alerts", host.ip, null) +|eval fw_alert_source_ip = CASE(data_stream.dataset in ("panw.panos", "fortinet_fortigate.log"), source.ip, null), + elastic_defend_alert_host_ip = CASE(event.module == "endpoint" and data_stream.dataset == "endpoint.alerts", host.ip, null) | eval Esql.source_ip = COALESCE(fw_alert_source_ip, elastic_defend_alert_host_ip) | where Esql.source_ip is not null diff --git a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml index 56a10ffce..4eb8661f4 100644 --- a/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml +++ b/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["endpoint", "checkpoint_email"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -35,11 +35,11 @@ from logs-endpoint.alerts-*, logs-checkpoint_email.event-* metadata _id // Email or Elastic Defend alerts where user name is populated | where (event.category == "email" and event.kind == "alert" and destination.user.name is not null) or - (event.module == "endpoint" and event.dataset == "endpoint.alerts" and user.name is not null) + (event.module == "endpoint" and data_stream.dataset == "endpoint.alerts" and user.name is not null) // extract target user name from email and endpoint alerts | eval email_alert_target_user_name = CASE(event.category == "email", destination.user.name, null), - elastic_defend_alert_user_name = CASE(event.module == "endpoint" and event.dataset == "endpoint.alerts", user.name, null) + elastic_defend_alert_user_name = CASE(event.module == "endpoint" and data_stream.dataset == "endpoint.alerts", user.name, null) | eval Esql.target_user_name = COALESCE(email_alert_target_user_name, elastic_defend_alert_user_name) | where Esql.target_user_name is not null diff --git a/rules/cross-platform/multiple_alerts_involving_user.toml b/rules/cross-platform/multiple_alerts_involving_user.toml index 816005daf..5b0c6a82f 100644 --- a/rules/cross-platform/multiple_alerts_involving_user.toml +++ b/rules/cross-platform/multiple_alerts_involving_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/11/16" maturity = "production" -updated_date = "2026/02/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -32,10 +32,10 @@ from .alerts-security.* Esql.rule_id_distinct_count = COUNT_DISTINCT(kibana.alert.rule.rule_id), Esql.host_id_distinct_count = COUNT_DISTINCT(host.id), Esql.risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score), - Esql.event_dataset_distinct_count = COUNT_DISTINCT(event.dataset), + Esql.data_stream_dataset_distinct_count = COUNT_DISTINCT(data_stream.dataset), Esql.rule_name_values = VALUES(kibana.alert.rule.name), Esql.risk_score_values = VALUES(kibana.alert.risk_score), - Esql.event_dataset_values = VALUES(event.dataset), + Esql.data_stream_dataset_values = VALUES(data_stream.dataset), Esql.event_module_values = VALUES(event.module), Esql.process_command_line = VALUES(process.command_line), Esql.host_id_values = VALUES(host.id), diff --git a/rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml b/rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml index a3296d016..ac7351f5e 100644 --- a/rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml +++ b/rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml @@ -3,7 +3,7 @@ creation_date = "2026/02/03" maturity = "production" min_stack_comments = "ES|QL COMPLETION command requires Elastic Managed LLM (gp-llm-v2) available in 9.3.0+" min_stack_version = "9.3.0" -updated_date = "2026/04/07" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -110,7 +110,7 @@ from .alerts-security.* METADATA _id, _version, _index Esql.host_name_values = VALUES(host.name), Esql.source_ip_values = VALUES(source.ip), Esql.destination_ip_values = VALUES(destination.ip), - Esql.event_dataset_values = VALUES(event.dataset), + Esql.data_stream_dataset_values = VALUES(data_stream.dataset), Esql.process_executable_values = VALUES(process.executable), Esql.user_email_values = VALUES(user.email), Esql.timestamp_min = MIN(@timestamp), @@ -131,7 +131,7 @@ from .alerts-security.* METADATA _id, _version, _index | eval Esql.hosts_str = COALESCE(MV_CONCAT(Esql.host_name_values, ", "), "unknown") | eval Esql.source_ips_str = COALESCE(MV_CONCAT(TO_STRING(Esql.source_ip_values), ", "), "unknown") | eval Esql.destination_ips_str = COALESCE(MV_CONCAT(TO_STRING(Esql.destination_ip_values), ", "), "unknown") -| eval Esql.datasets_str = COALESCE(MV_CONCAT(Esql.event_dataset_values, ", "), "unknown") +| eval Esql.datasets_str = COALESCE(MV_CONCAT(Esql.data_stream_dataset_values, ", "), "unknown") | eval Esql.processes_str = COALESCE(MV_CONCAT(Esql.process_executable_values, ", "), "unknown") | eval Esql.users_email_str = COALESCE(MV_CONCAT(Esql.user_email_values, "; "), "n/a") | eval alert_summary = CONCAT("User: ", user.name, " | Email: ", Esql.users_email_str, " | Alerts: ", TO_STRING(Esql.alerts_count), " | Distinct rules: ", TO_STRING(Esql.kibana_alert_rule_name_count_distinct), " | Hosts affected: ", TO_STRING(Esql.host_name_count_distinct), " | Time window: ", Esql.time_window_minutes, " min | Max risk: ", TO_STRING(Esql.kibana_alert_risk_score_max), " | Rules: ", Esql.rules_str, " | Tactics: ", Esql.tactics_str, " | Techniques: ", Esql.techniques_str, " | Hosts: ", Esql.hosts_str, " | Source IPs: ", Esql.source_ips_str, " | Destination IPs: ", Esql.destination_ips_str, " | Data sources: ", Esql.datasets_str, " | Processes: ", Esql.processes_str) diff --git a/rules/cross-platform/multiple_alerts_risky_host_esql.toml b/rules/cross-platform/multiple_alerts_risky_host_esql.toml index 1f1583c32..a0cd85860 100644 --- a/rules/cross-platform/multiple_alerts_risky_host_esql.toml +++ b/rules/cross-platform/multiple_alerts_risky_host_esql.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2025/11/19" maturity = "production" -updated_date = "2026/02/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ from .alerts-security.* metadata _id // filter for alerts with populated risk score, excluding threat_match rules, deprecated and some other noisy ones. | where kibana.alert.risk_score > 0 and kibana.alert.rule.name IS NOT NULL and - host.id is not null and event.dataset is not null and + host.id is not null and data_stream.dataset is not null and kibana.alert.rule.type != "threat_match" and // Top noisy influencing rules not kibana.alert.rule.name in ("Agent Spoofing - Mismatched Agent ID", "Compression DLL Loaded by Unusual Process", "Process Termination followed by Deletion", "Suspicious PrintSpooler Service Executable File Creation", "Potential PrintNightmare File Modification") and diff --git a/rules/cross-platform/multiple_alerts_same_tactic_by_host.toml b/rules/cross-platform/multiple_alerts_same_tactic_by_host.toml index 98c35fce5..f617db72d 100644 --- a/rules/cross-platform/multiple_alerts_same_tactic_by_host.toml +++ b/rules/cross-platform/multiple_alerts_same_tactic_by_host.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2026/01/12" maturity = "production" -updated_date = "2026/02/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ from .alerts-security.* metadata _id | where kibana.alert.risk_score > 21 and kibana.alert.rule.name IS NOT NULL and - host.id is not null and event.dataset is not null and + host.id is not null and data_stream.dataset is not null and // excluding ML and Threat Match rules as they tend to be noisy not kibana.alert.rule.type in ("threat_match", "machine_learning") and diff --git a/rules/cross-platform/multiple_elastic_defend_behavior_rules_same_host_prevalence.toml b/rules/cross-platform/multiple_elastic_defend_behavior_rules_same_host_prevalence.toml index 59437ccca..76d95be7e 100644 --- a/rules/cross-platform/multiple_elastic_defend_behavior_rules_same_host_prevalence.toml +++ b/rules/cross-platform/multiple_elastic_defend_behavior_rules_same_host_prevalence.toml @@ -3,7 +3,7 @@ creation_date = "2026/02/19" maturity = "production" min_stack_comments = "ES|QL inline stats became generally available in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/19" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ type = "esql" query = ''' from logs-endpoint.alerts-* metadata _id -| where event.dataset == "endpoint.alerts" and event.code == "behavior" +| where data_stream.dataset == "endpoint.alerts" and event.code == "behavior" | INLINE STATS hosts = COUNT_DISTINCT(host.id) BY rule.name // excludes rules triggering on multiple hosts to reduce potential FPs | where hosts == 1 diff --git a/rules/cross-platform/multiple_external_edr_alerts_by_host.toml b/rules/cross-platform/multiple_external_edr_alerts_by_host.toml index de6113d53..95198d804 100644 --- a/rules/cross-platform/multiple_external_edr_alerts_by_host.toml +++ b/rules/cross-platform/multiple_external_edr_alerts_by_host.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2026/01/09" maturity = "production" -updated_date = "2026/02/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ type = "esql" query = ''' from .alerts-security.* -| WHERE event.dataset in ("crowdstrike.alert", "crowdstrike.falcon", "sentinel_one.alert", "sentinel_one.threat", "m365_defender.alert") and +| WHERE data_stream.dataset in ("crowdstrike.alert", "crowdstrike.falcon", "sentinel_one.alert", "sentinel_one.threat", "m365_defender.alert") and host.id is not null and kibana.alert.risk_score > 21 and not (event.module == "crowdstrike" and (kibana.alert.rule.name like "* at *" or kibana.alert.rule.name like "* on *" or kibana.alert.rule.name == "EICARTestFileWrittenWin")) and not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """) diff --git a/rules/cross-platform/multiple_vulnerabilities_wiz_by_container.toml b/rules/cross-platform/multiple_vulnerabilities_wiz_by_container.toml index eeec1a93d..cf4d3711d 100644 --- a/rules/cross-platform/multiple_vulnerabilities_wiz_by_container.toml +++ b/rules/cross-platform/multiple_vulnerabilities_wiz_by_container.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/22" integration = ["wiz"] maturity = "production" -updated_date = "2026/01/22" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -57,7 +57,7 @@ type = "esql" query = ''' FROM logs-wiz.vulnerability-* -| WHERE event.dataset == "wiz.vulnerability" and event.category == "vulnerability" and +| WHERE data_stream.dataset == "wiz.vulnerability" and event.category == "vulnerability" and wiz.vulnerability.vulnerable_asset.name is not null and wiz.vulnerability.vulnerable_asset.id is not null | stats Esql.count_distinct_vuln_id = COUNT_DISTINCT(wiz.vulnerability.id), diff --git a/rules/cross-platform/newly_observed_elastic_detection_rule.toml b/rules/cross-platform/newly_observed_elastic_detection_rule.toml index 09875a9d3..bbd8eaae8 100644 --- a/rules/cross-platform/newly_observed_elastic_detection_rule.toml +++ b/rules/cross-platform/newly_observed_elastic_detection_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2026/01/07" maturity = "production" -updated_date = "2026/02/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ FROM .alerts-security.* not kibana.alert.rule.type in ("threat_match", "machine_learning", "new_terms") and not kibana.alert.rule.name like "Deprecated - *" and kibana.alert.rule.name != "My First Rule" and // covered by 7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8 - event.dataset != "endpoint.alerts" and + data_stream.dataset != "endpoint.alerts" and not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """) | STATS Esql.alerts_count = count(*), Esql.first_time_seen = MIN(@timestamp), diff --git a/rules/cross-platform/newly_observed_panos_alert.toml b/rules/cross-platform/newly_observed_panos_alert.toml index 3d09c87be..46112f653 100644 --- a/rules/cross-platform/newly_observed_panos_alert.toml +++ b/rules/cross-platform/newly_observed_panos_alert.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/21" integration = ["panw"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ query = ''' FROM logs-panw.panos-*, filebeat-* metadata _id // exclude Informational and Low severity levels (4 and 5) -| where event.dataset == "panw.panos" and TO_INTEGER(event.severity) <= 3 and event.action != "flood_detected" +| where data_stream.dataset == "panw.panos" and TO_INTEGER(event.severity) <= 3 and event.action != "flood_detected" | STATS Esql.alerts_count = count(*), Esql.first_time_seen = MIN(@timestamp), diff --git a/rules/cross-platform/persistence_web_server_potential_command_injection.toml b/rules/cross-platform/persistence_web_server_potential_command_injection.toml index 0e14d3d4a..e9c9108a9 100644 --- a/rules/cross-platform/persistence_web_server_potential_command_injection.toml +++ b/rules/cross-platform/persistence_web_server_potential_command_injection.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -116,7 +116,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log http.response.status_code, user_agent.original, agent.name, - event.dataset, + data_stream.dataset, data_stream.namespace | stats @@ -130,7 +130,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log Esql.url_path_values = values(Esql.url_original_to_lower), Esql.http.response.status_code_values = values(http.response.status_code), Esql.user_agent_original_values = values(user_agent.original), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace), // Rule Specific fields diff --git a/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml b/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml index a21ef09d5..13acee95d 100644 --- a/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml +++ b/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log | keep @timestamp, - event.dataset, + data_stream.dataset, http.request.method, http.response.status_code, source.ip, @@ -90,7 +90,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log Esql.http_request_method_values = values(http.request.method), Esql.http_response_status_code_values = values(http.response.status_code), Esql.url_original_values = values(Esql.url_original_to_lower), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by source.ip | where diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml index 6e1a85094..263c0a8d2 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis"] maturity = "production" -updated_date = "2025/12/05" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ from logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, logs-i | keep @timestamp, event.type, - event.dataset, + data_stream.dataset, source.ip, agent.id, host.name, @@ -79,7 +79,7 @@ from logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, logs-i Esql.event_count = count(), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by source.ip, agent.id | where diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml index 474e146dc..d2300aac5 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log | keep @timestamp, - event.dataset, + data_stream.dataset, http.request.method, http.response.status_code, source.ip, @@ -97,7 +97,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log Esql.http_request_method_values = values(http.request.method), Esql.http_response_status_code_values = values(http.response.status_code), Esql.url_path_values = values(Esql.url_original_to_lower), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by source.ip, agent.id | where diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml index f98e838dc..66dd3b7a6 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -96,7 +96,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log | keep @timestamp, - event.dataset, + data_stream.dataset, user_agent.original, source.ip, agent.id, @@ -111,7 +111,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log Esql.agent_id_values = values(agent.id), Esql.url_original_values = values(Esql.url_original_to_lower), Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by source.ip, agent.id | where diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 9c0e12dd9..3e6d6ede7 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "cloudtrail.amazonaws.com" and event.action: "CreateTrail" and event.outcome: "success" diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml index 20256d83f..ac32cd1ee 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -105,7 +105,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "s3.amazonaws.com" and event.action: ( "GetObject" or diff --git a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml index eacc8d821..f11d091d5 100644 --- a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml +++ b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"aws.cloudtrail" +data_stream.dataset:"aws.cloudtrail" and event.provider:"ec2.amazonaws.com" and event.action:"GetPasswordData" and aws.cloudtrail.user_identity.type:"AssumedRole" and aws.cloudtrail.error_code:"Client.UnauthorizedOperation" ''' diff --git a/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml b/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml index 57b2baeef..59a05af0c 100644 --- a/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml +++ b/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/20" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.dataset == "aws.cloudtrail" +iam where data_stream.dataset == "aws.cloudtrail" and event.action == "AttachUserPolicy" and event.outcome == "success" and stringContains(aws.cloudtrail.request_parameters, "AWSCompromisedKeyQuarantine") diff --git a/rules/integrations/aws/credential_access_iam_long_term_access_key_first_seen_from_source_ip.toml b/rules/integrations/aws/credential_access_iam_long_term_access_key_first_seen_from_source_ip.toml index f7ad807f9..a6136fbc0 100644 --- a/rules/integrations/aws/credential_access_iam_long_term_access_key_first_seen_from_source_ip.toml +++ b/rules/integrations/aws/credential_access_iam_long_term_access_key_first_seen_from_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2026/04/06" integration = ["aws"] maturity = "production" -updated_date = "2026/04/06" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.outcome: "success" and source.ip:* and aws.cloudtrail.user_identity.access_key_id: AKIA* diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index 41cee1240..507716931 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail and +data_stream.dataset: aws.cloudtrail and event.provider: iam.amazonaws.com and event.action: AddUserToGroup and event.outcome: success diff --git a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index 0ca0106e1..db3a3393f 100644 --- a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Nick Jones", "Elastic"] @@ -94,7 +94,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: secretsmanager.amazonaws.com and event.action: GetSecretValue and event.outcome: success diff --git a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml index 20d915624..ba5a12b27 100644 --- a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml +++ b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/11" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -117,7 +117,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "secretsmanager.amazonaws.com" and event.action: "GetSecretValue" and event.outcome: "success" diff --git a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml index 506c4ecdf..5034ab503 100644 --- a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml +++ b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: "ssm.amazonaws.com" and event.action: (GetParameters or GetParameter) and event.outcome: success diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index d6fa16aca..7bce7b4e2 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/21" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -118,7 +118,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset:aws.cloudtrail and +data_stream.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 2dba17cda..73840cdf7 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "cloudtrail.amazonaws.com" and event.action: "DeleteTrail" and event.outcome: "success" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_evasion.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_evasion.toml index 80e7f6407..cfcbedc24 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_evasion.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_evasion.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail and event.provider: iam.amazonaws.com and aws.cloudtrail.flattened.request_parameters.reason: "requestParameters too large" and aws.cloudtrail.flattened.request_parameters.omitted : true and event.outcome: success +data_stream.dataset: aws.cloudtrail and event.provider: iam.amazonaws.com and aws.cloudtrail.flattened.request_parameters.reason: "requestParameters too large" and aws.cloudtrail.flattened.request_parameters.omitted : true and event.outcome: success ''' [rule.investigation_fields] diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index dea0d7a8d..e0a1e3ae4 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "cloudtrail.amazonaws.com" and event.action: "StopLogging" and event.outcome: "success" diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 3dedaf38d..26a9d8fd8 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -119,7 +119,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "monitoring.amazonaws.com" and event.action: "DeleteAlarms" and event.outcome: "success" diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 8d37020dc..b6ebb9ca4 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -117,7 +117,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: config.amazonaws.com and event.outcome: success and event.action: (DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 41c5766b5..cc158d616 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/16" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -100,7 +100,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: config.amazonaws.com and event.action: StopConfigurationRecorder and event.outcome: success diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index a613f4260..06cf312ca 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -updated_date = "2025/06/05" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -89,7 +89,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success +data_stream.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success ''' [rule.investigation_fields] diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index 94ab7f359..6a1866b9e 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success +data_stream.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success ''' [rule.investigation_fields] field_names = [ diff --git a/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml b/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml index 90f097c14..420a598d0 100644 --- a/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml +++ b/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -107,7 +107,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" and event.action: "EnableSerialConsoleAccess" and event.outcome: "success" diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index b479a2dae..29293dbc3 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -105,7 +105,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: guardduty.amazonaws.com and event.action: DeleteDetector and event.outcome: success diff --git a/rules/integrations/aws/defense_evasion_guardduty_member_manipulation.toml b/rules/integrations/aws/defense_evasion_guardduty_member_manipulation.toml index fcabf82f4..319cc5803 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_member_manipulation.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_member_manipulation.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -117,7 +117,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "guardduty.amazonaws.com" and event.action: ( "DisassociateFromAdministratorAccount" or diff --git a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml index 6d037474f..b435c623c 100644 --- a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml +++ b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Austin Songer", "Elastic"] @@ -144,7 +144,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" and event.action: ("RestoreDBInstanceFromDBSnapshot" or "RestoreDBInstanceFromS3") and event.outcome: "success" diff --git a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml index b4817233c..be9ad6a5a 100644 --- a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml +++ b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -109,7 +109,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: route53resolver.amazonaws.com and event.action: DeleteResolverQueryLogConfig and event.outcome: success diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 21de01a05..465b453d9 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/27" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -109,7 +109,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and +data_stream.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.action:(DeleteBucketPolicy or DeleteBucketReplication or diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml b/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml index d7bf8608f..231e22848 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -131,7 +131,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.action == "PutBucketLifecycle" and event.outcome == "success" and stringContains(aws.cloudtrail.request_parameters, "Expiration=") diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_server_access_logging_disabled.toml b/rules/integrations/aws/defense_evasion_s3_bucket_server_access_logging_disabled.toml index 70175107d..e477a5e03 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_server_access_logging_disabled.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_server_access_logging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/12" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -103,7 +103,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.provider == "s3.amazonaws.com" and event.action == "PutBucketLogging" and event.outcome == "success" diff --git a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml index 1d4e6533f..684b28bef 100644 --- a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml +++ b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/08" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -90,7 +90,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "sqs.amazonaws.com" and event.action: "PurgeQueue" and event.outcome: "success" diff --git a/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml b/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml index ff639694e..fda6471a9 100644 --- a/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml +++ b/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/19" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider:sts.amazonaws.com and event.action:GetFederationToken and event.outcome:success diff --git a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml index 5bb8dd409..4bee481c6 100644 --- a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml +++ b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: ec2.amazonaws.com and event.action: AuthorizeSecurityGroupIngress and event.outcome: success diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 237ed1e08..67d4d9bf3 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -151,7 +151,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: (waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action: DeleteWebACL and event.outcome: success diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index e953ed3d6..2a678ab30 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/09" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -130,7 +130,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: (waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action: (DeleteRule or DeleteRuleGroup) and event.outcome: success diff --git a/rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml b/rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml index 6d6583be3..2eab5f230 100644 --- a/rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml +++ b/rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/24" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -104,7 +104,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" and event.action: "DescribeImages" and event.outcome: "success" diff --git a/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml b/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml index 07be3b05e..5a63a6791 100644 --- a/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml +++ b/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/14" integration = ["aws"] maturity = "production" -updated_date = "2025/12/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" and event.action: "DescribeInstanceAttribute" and event.outcome: "success" diff --git a/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml b/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml index 9f6d0e9c3..3a0b69bd9 100644 --- a/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml +++ b/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -105,7 +105,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "UpdateAssumeRolePolicy" and aws.cloudtrail.error_code: "MalformedPolicyDocumentException" diff --git a/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml b/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml index f2639c69a..1957c847f 100644 --- a/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml +++ b/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" min_stack_version = "9.2.0" -updated_date = "2026/04/01" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -142,7 +142,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index | eval Esql.time_window_date_trunc = date_trunc(10 seconds, @timestamp) | where - event.dataset == "aws.cloudtrail" + data_stream.dataset == "aws.cloudtrail" // exclude service account and console behavior and source.ip IS NOT NULL diff --git a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml index 57341cda8..65838310a 100644 --- a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml +++ b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/24" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -92,7 +92,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "sts.amazonaws.com" and event.action: "GetCallerIdentity" and event.outcome: "success" diff --git a/rules/integrations/aws/discovery_organization_discovery_by_rare_user.toml b/rules/integrations/aws/discovery_organization_discovery_by_rare_user.toml index 920192a3a..aa3124045 100644 --- a/rules/integrations/aws/discovery_organization_discovery_by_rare_user.toml +++ b/rules/integrations/aws/discovery_organization_discovery_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2026/04/01" integration = ["aws"] maturity = "production" -updated_date = "2026/04/01" +updated_date = "2026/04/10" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.outcome: "success" and source.ip:* and not aws.cloudtrail.session_credential_from_console: "true" diff --git a/rules/integrations/aws/discovery_s3_rapid_bucket_posture_api_calls.toml b/rules/integrations/aws/discovery_s3_rapid_bucket_posture_api_calls.toml index 3f29797b7..a058c292d 100644 --- a/rules/integrations/aws/discovery_s3_rapid_bucket_posture_api_calls.toml +++ b/rules/integrations/aws/discovery_s3_rapid_bucket_posture_api_calls.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" min_stack_version = "9.2.0" -updated_date = "2026/04/02" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -107,7 +107,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index | eval Esql.time_window_date_trunc = date_trunc(10 seconds, @timestamp) | where - event.dataset == "aws.cloudtrail" + data_stream.dataset == "aws.cloudtrail" and event.provider == "s3.amazonaws.com" and event.outcome == "success" and event.action in ( diff --git a/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml b/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml index f86a9fcfd..dc7178d13 100644 --- a/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml +++ b/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2024/08/26" maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -91,7 +91,7 @@ from logs-aws.cloudtrail-* METADATA _id, _version, _index // filter for GetServiceQuota API calls | where - event.dataset == "aws.cloudtrail" + data_stream.dataset == "aws.cloudtrail" and event.provider == "servicequotas.amazonaws.com" and event.action == "GetServiceQuota" diff --git a/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml b/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml index 1f86cdc6d..68f2c9269 100644 --- a/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml +++ b/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/11" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -95,7 +95,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "ssm.amazonaws.com" and ( event.action: ("GetInventory" or "GetInventorySchema" or "ListInventoryEntries" or "DescribeInstancePatches" or "ListCommands") diff --git a/rules/integrations/aws/execution_cloudshell_environment_created.toml b/rules/integrations/aws/execution_cloudshell_environment_created.toml index 08abce57f..fcee57d0d 100644 --- a/rules/integrations/aws/execution_cloudshell_environment_created.toml +++ b/rules/integrations/aws/execution_cloudshell_environment_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/12" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -95,7 +95,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "cloudshell.amazonaws.com" and event.action: "CreateEnvironment" and event.outcome: "success" diff --git a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml index 0be80713d..ba7bbf173 100644 --- a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml +++ b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -98,7 +98,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: lambda.amazonaws.com and event.outcome: success and event.action: (PublishLayerVersion* or UpdateFunctionConfiguration*) diff --git a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml index b95f19cbc..dfbe54fc0 100644 --- a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml +++ b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/25" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and +data_stream.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and event.action: (CreateStack or CreateStackInstances) and event.outcome:success ''' diff --git a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml index b69d06a25..603715ae5 100644 --- a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml +++ b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2025/06/25" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "ssm.amazonaws.com" and event.action: "CreateDocument" and event.outcome: "success" diff --git a/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml b/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml index 0ac438e7e..842c266c9 100644 --- a/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml +++ b/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2025/07/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "ssm.amazonaws.com" and event.action: "SendCommand" and event.outcome: "success" diff --git a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml index 7ac4b8a88..af3d79a0d 100644 --- a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml +++ b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/13" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "dynamodb.amazonaws.com" and event.action: "Scan" and event.outcome: "success" diff --git a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml index 9385daad2..cf235544d 100644 --- a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml +++ b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/13" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "dynamodb.amazonaws.com" and event.action: "ExportTableToPointInTime" and event.outcome: "success" diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml index 8e37b687d..0c651d0cb 100644 --- a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" +data_stream.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" and event.action: ModifyImageAttribute and event.outcome: success and aws.cloudtrail.request_parameters: *add=* and not aws.cloudtrail.user_identity.invoked_by: "assets.marketplace.amazonaws.com" diff --git a/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml b/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml index 1e709bd38..a99abcc9e 100644 --- a/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -113,7 +113,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.action == "ModifySnapshotAttribute" and event.outcome == "success" and stringContains (aws.cloudtrail.request_parameters, "attributeType=CREATE_VOLUME_PERMISSION") diff --git a/rules/integrations/aws/exfiltration_ec2_export_task.toml b/rules/integrations/aws/exfiltration_ec2_export_task.toml index 85ea184fc..3be5f568f 100644 --- a/rules/integrations/aws/exfiltration_ec2_export_task.toml +++ b/rules/integrations/aws/exfiltration_ec2_export_task.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/23" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -91,7 +91,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" and +data_stream.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" and event.action: ("CreateInstanceExportTask" or "ExportImage" or "CreateStoreImageTask") and event.outcome: "success" diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index 69392b27d..b74d9c15a 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -113,7 +113,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" and +data_stream.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" and event.action: "CreateTrafficMirrorSession" and event.outcome: "success" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index 3438596f8..7de61e37f 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -141,7 +141,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: rds.amazonaws.com and event.action: StartExportTask and event.outcome: success diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml b/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml index 85e24f146..b54813ee2 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -133,7 +133,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.provider == "rds.amazonaws.com" and event.outcome == "success" and event.action in ("ModifyDBSnapshotAttribute", "ModifyDBClusterSnapshotAttribute") diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml index 55d8c871c..0fb3121a2 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -130,7 +130,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.provider == "s3.amazonaws.com" and event.action == "PutBucketPolicy" and event.outcome == "success" diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml index 6d7ba2052..3759ebb00 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -129,7 +129,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.provider == "s3.amazonaws.com" and event.action == "PutBucketPolicy" and event.outcome == "success" diff --git a/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml b/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml index f37e1f2d0..a222c08eb 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/12" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -139,7 +139,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.action == "PutBucketReplication" and event.outcome == "success" and stringContains(aws.cloudtrail.request_parameters, "Account=") diff --git a/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml b/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml index be5fa4a35..ace7a1260 100644 --- a/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml +++ b/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -101,7 +101,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and user_agent.original: (*S3 Browser* or *Cyberduck*) and event.outcome: "success" ''' diff --git a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml index e0a94c08f..832868d59 100644 --- a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml +++ b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "sns.amazonaws.com" and event.action: "Subscribe" and event.outcome: "success" diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index f432d063a..0e2e4cf05 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/17" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Austin Songer", "Elastic"] @@ -112,7 +112,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: events.amazonaws.com and event.action: (DeleteRule or DisableRule) and event.outcome: success diff --git a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml index 6ec5c340a..dae825c15 100644 --- a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml +++ b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/01" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -95,7 +95,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' - event.dataset: "aws.cloudtrail" and + data_stream.dataset: "aws.cloudtrail" and event.provider : "s3.amazonaws.com" and aws.cloudtrail.error_code : "AccessDenied" and tls.client.server_name : * diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index cbab012a4..864e026f3 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "cloudtrail.amazonaws.com" and event.action: "UpdateTrail" and event.outcome: "success" diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index ed265299c..74f47a2d4 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/18" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -140,7 +140,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "logs.amazonaws.com" and event.action: "DeleteLogGroup" and event.outcome: "success" diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 4ee8165d8..891da64e3 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -127,7 +127,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "logs.amazonaws.com" and event.action: "DeleteLogStream" and event.outcome: "success" diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 0b73ed699..d859d9fdf 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -119,7 +119,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success +data_stream.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success ''' diff --git a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml index c6951c7a1..420705da4 100644 --- a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml +++ b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/02" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -106,7 +106,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.action == "ModifySnapshotAttribute" and event.outcome == "success" and stringContains (aws.cloudtrail.request_parameters, "attributeType=CREATE_VOLUME_PERMISSION") diff --git a/rules/integrations/aws/impact_efs_filesystem_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_deleted.toml index b8cf69060..8d78d9359 100644 --- a/rules/integrations/aws/impact_efs_filesystem_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/27" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Austin Songer", "Elastic"] @@ -132,7 +132,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "elasticfilesystem.amazonaws.com" and event.action: "DeleteFileSystem" and event.outcome: "success" diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index b5533647e..726103b55 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -107,7 +107,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: iam.amazonaws.com and event.action: DeactivateMFADevice and event.outcome: success diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index 90bdb232f..7c3e68c1c 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail and +data_stream.dataset: aws.cloudtrail and event.provider: iam.amazonaws.com and event.action: DeleteGroup and event.outcome: success diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml index 84fdd4c09..8278e132c 100644 --- a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/21" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Xavier Pich"] @@ -136,7 +136,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "kms.amazonaws.com" and event.action: ("DisableKey" or "ScheduleKeyDeletion") and event.outcome: "success" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index cfabd72e5..bafdc7faa 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -147,7 +147,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: rds.amazonaws.com and event.action: (DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) and event.outcome: success diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml index faa111891..be14aa4ce 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/28" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -114,7 +114,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "aws.cloudtrail" +any where data_stream.dataset == "aws.cloudtrail" and event.provider == "rds.amazonaws.com" and event.action in ("ModifyDBInstance", "ModifyDBCluster") and event.outcome == "success" diff --git a/rules/integrations/aws/impact_rds_snapshot_deleted.toml b/rules/integrations/aws/impact_rds_snapshot_deleted.toml index ccee14c1e..2a01102c5 100644 --- a/rules/integrations/aws/impact_rds_snapshot_deleted.toml +++ b/rules/integrations/aws/impact_rds_snapshot_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -138,7 +138,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "aws.cloudtrail" +any where data_stream.dataset == "aws.cloudtrail" and event.provider == "rds.amazonaws.com" and event.outcome == "success" and ( diff --git a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml index 5cb062124..fb8db177d 100644 --- a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml +++ b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -115,7 +115,7 @@ type = "eql" query = ''' file where - event.dataset == "aws.cloudtrail" and + data_stream.dataset == "aws.cloudtrail" and event.provider == "s3.amazonaws.com" and event.action == "PutObject" and event.outcome == "success" and diff --git a/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml b/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml index 50c47bc15..6eab4d3a4 100644 --- a/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml +++ b/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/15" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -94,7 +94,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "s3.amazonaws.com" and event.action: "PutObject" and event.outcome: "success" diff --git a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml index bf1de47eb..7d7fd64cf 100644 --- a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml +++ b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -164,7 +164,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index // any successful S3 copy event | where - event.dataset == "aws.cloudtrail" + data_stream.dataset == "aws.cloudtrail" and event.provider == "s3.amazonaws.com" and event.action == "CopyObject" and event.outcome == "success" diff --git a/rules/integrations/aws/impact_s3_object_versioning_disabled.toml b/rules/integrations/aws/impact_s3_object_versioning_disabled.toml index d48d2e841..b0f0828ea 100644 --- a/rules/integrations/aws/impact_s3_object_versioning_disabled.toml +++ b/rules/integrations/aws/impact_s3_object_versioning_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/12" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -110,7 +110,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.provider == "s3.amazonaws.com" and event.action == "PutBucketVersioning" and event.outcome == "success" diff --git a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml index 9a4bfdd2d..93184bd03 100644 --- a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml +++ b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ from logs-aws.cloudtrail* metadata _id, _version, _index | where // S3 object write activity - event.dataset == "aws.cloudtrail" + data_stream.dataset == "aws.cloudtrail" and event.provider == "s3.amazonaws.com" and event.action == "PutObject" and event.outcome == "success" diff --git a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml index 3553a07eb..050e6e720 100644 --- a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml +++ b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/15" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -95,7 +95,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "s3.amazonaws.com" and event.action: "PutObject" and event.outcome: "success" diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index a8842b975..5c32877a9 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/11" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -109,7 +109,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and +data_stream.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and diff --git a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml index 0fe9671e7..6cd6d619e 100644 --- a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml +++ b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ type = "esql" query = ''' from logs-aws.cloudtrail* metadata _id, _version, _index -| where event.dataset == "aws.cloudtrail" +| where data_stream.dataset == "aws.cloudtrail" and aws.cloudtrail.user_identity.arn is not null and aws.cloudtrail.user_identity.type == "IAMUser" and source.ip is not null diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index f5071de40..ab6c7ca18 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -103,7 +103,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and +data_stream.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success diff --git a/rules/integrations/aws/initial_access_signin_console_login_federated_user.toml b/rules/integrations/aws/initial_access_signin_console_login_federated_user.toml index f3f64e84c..fc3afec17 100644 --- a/rules/integrations/aws/initial_access_signin_console_login_federated_user.toml +++ b/rules/integrations/aws/initial_access_signin_console_login_federated_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/19" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" and +data_stream.dataset: "aws.cloudtrail" and event.provider: "signin.amazonaws.com" and event.action : "ConsoleLogin" and aws.cloudtrail.user_identity.type: "FederatedUser" and diff --git a/rules/integrations/aws/initial_access_suspicious_user_agent_detected_in_cloudtrail.toml b/rules/integrations/aws/initial_access_suspicious_user_agent_detected_in_cloudtrail.toml index 430d1bcaf..d48f1879e 100644 --- a/rules/integrations/aws/initial_access_suspicious_user_agent_detected_in_cloudtrail.toml +++ b/rules/integrations/aws/initial_access_suspicious_user_agent_detected_in_cloudtrail.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/11" integration = ["aws"] maturity = "production" -updated_date = "2026/03/31" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -117,7 +117,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "aws.cloudtrail" +any where data_stream.dataset == "aws.cloudtrail" and event.outcome == "success" and ( ( diff --git a/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml b/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml index 9aae37ec5..309ddfc0f 100644 --- a/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml +++ b/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2025/09/05" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"aws.cloudtrail" and event.provider:"ssm.amazonaws.com" +data_stream.dataset:"aws.cloudtrail" and event.provider:"ssm.amazonaws.com" and event.action:"StartSession" and event.outcome:"success" ''' diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml index ca830abae..70bb26af4 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: ec2-instance-connect.amazonaws.com and event.action: (SendSSHPublicKey or SendSerialConsoleSSHPublicKey) and event.outcome: success diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml index 6bb5af9fa..3bed2e502 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -114,7 +114,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.provider == "signin.amazonaws.com" and event.action in ("ConsoleLogin", "GetSigninToken") and event.outcome == "success" diff --git a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml index 903ca5ff5..b934a1134 100644 --- a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml +++ b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -113,7 +113,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"aws.cloudtrail" +data_stream.dataset:"aws.cloudtrail" and event.provider:"sns.amazonaws.com" and event.action:"Publish" and event.outcome:"success" diff --git a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml index 4012b6634..7fa7eee29 100644 --- a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml +++ b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -110,7 +110,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.dataset == "aws.cloudtrail" +iam where data_stream.dataset == "aws.cloudtrail" and event.provider == "iam.amazonaws.com" and event.outcome == "success" and event.action in ("CreateVirtualMFADevice", "EnableMFADevice") diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index a72f180db..80c27e68f 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success +data_stream.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success ''' [rule.investigation_fields] diff --git a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml index 771fa38a3..56a39e147 100644 --- a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -104,7 +104,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" and event.action:( "ReplaceRoute" or diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index a2105eaa9..d7d162291 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" and event.outcome: "success" and (event.action:( "AuthorizeSecurityGroupIngress" or diff --git a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml index 16a775ca3..9c34b5659 100644 --- a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml +++ b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -122,7 +122,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: ("iam.amazonaws.com") and event.outcome: "success" and aws.cloudtrail.user_identity.type: "IAMUser" diff --git a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml index 6edad08e8..f092f15d4 100644 --- a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml +++ b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/02" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -118,7 +118,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "aws.cloudtrail" +any where data_stream.dataset == "aws.cloudtrail" and event.provider == "iam.amazonaws.com" and event.action == "CreateLoginProfile" and aws.cloudtrail.user_identity.type == "Root" diff --git a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml index 0df9d192b..dcac0582d 100644 --- a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml +++ b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2025/09/04" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -88,7 +88,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "CreateUser" and event.outcome: "success" diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index 1eb39e9cb..3dc1f7dc3 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -89,7 +89,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail and +data_stream.dataset: aws.cloudtrail and event.provider: iam.amazonaws.com and event.action: CreateGroup and event.outcome: success diff --git a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml index 456d11f2a..a14f2143e 100644 --- a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml +++ b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -111,7 +111,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "CreateOpenIDConnectProvider" and event.outcome: "success" diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml index 3c73289d5..5b1a3ce75 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -128,7 +128,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: rolesanywhere.amazonaws.com and event.action: CreateProfile and event.outcome: success diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml index b93e5e177..ed48e71c7 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -119,7 +119,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.provider == "rolesanywhere.amazonaws.com" and event.action == "CreateTrustAnchor" and event.outcome == "success" diff --git a/rules/integrations/aws/persistence_iam_saml_provider_created.toml b/rules/integrations/aws/persistence_iam_saml_provider_created.toml index 9116a811d..51a565096 100644 --- a/rules/integrations/aws/persistence_iam_saml_provider_created.toml +++ b/rules/integrations/aws/persistence_iam_saml_provider_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -107,7 +107,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "CreateSAMLProvider" and event.outcome: "success" diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index 6a4dcd371..7e3f9bb3a 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/13" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -126,7 +126,7 @@ type = "esql" query = ''' from logs-aws.cloudtrail-* metadata _id, _version, _index -| where event.dataset == "aws.cloudtrail" +| where data_stream.dataset == "aws.cloudtrail" and event.provider == "iam.amazonaws.com" and event.action == "CreateAccessKey" and event.outcome == "success" @@ -138,7 +138,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index event.provider, event.action, event.outcome, - event.dataset, + data_stream.dataset, user.name, source.address, source.ip, diff --git a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml index cc5eccd43..d1d345fce 100644 --- a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml +++ b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -102,7 +102,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.provider == "lambda.amazonaws.com" and event.outcome == "success" and event.action : "AddPermission*" diff --git a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml index cf7e2c1b3..d29f43bfe 100644 --- a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml +++ b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/27" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -126,7 +126,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -info where event.dataset == "aws.cloudtrail" +info where data_stream.dataset == "aws.cloudtrail" and event.provider == "rds.amazonaws.com" and event.action in ("ModifyDBInstance", "ModifyDBCluster") and event.outcome == "success" diff --git a/rules/integrations/aws/persistence_rds_instance_made_public.toml b/rules/integrations/aws/persistence_rds_instance_made_public.toml index 9ce154cae..4fc5be1cb 100644 --- a/rules/integrations/aws/persistence_rds_instance_made_public.toml +++ b/rules/integrations/aws/persistence_rds_instance_made_public.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -131,7 +131,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "aws.cloudtrail" +any where data_stream.dataset == "aws.cloudtrail" and event.provider == "rds.amazonaws.com" and event.outcome == "success" and ( diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index c54f9538c..d9765f4b0 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -118,7 +118,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: route53domains.amazonaws.com and event.action: DisableDomainTransferLock and event.outcome: success diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index cabac631f..9949f653e 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -118,7 +118,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: route53domains.amazonaws.com and event.action: TransferDomainToAnotherAwsAccount and event.outcome: success diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 83355ae7d..e13d22e13 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Austin Songer", "Elastic"] @@ -116,7 +116,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail +data_stream.dataset: aws.cloudtrail and event.provider: route53.amazonaws.com and event.action: AssociateVPCWithHostedZone and event.outcome: success diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index a03d91f91..2cecfa05d 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" and event.action:( "CreateRoute" or diff --git a/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml b/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml index 8a4189fc1..b0456ba36 100644 --- a/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml +++ b/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/10" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -101,7 +101,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: ( "CreateAccessKey" or diff --git a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml index 393e91868..e00342302 100644 --- a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml +++ b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/25" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:aws.cloudtrail +data_stream.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:(AssumeRole or AssumeRoleWithSAML or AssumeRoleWithWebIdentity) and event.outcome:success diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml index 7a16cf870..acbba0936 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -111,7 +111,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.dataset == "aws.cloudtrail" +iam where data_stream.dataset == "aws.cloudtrail" and event.provider == "iam.amazonaws.com" and event.action == "AttachGroupPolicy" and event.outcome == "success" diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml index 87734bebf..13e33f245 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -109,7 +109,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.dataset == "aws.cloudtrail" +iam where data_stream.dataset == "aws.cloudtrail" and event.provider == "iam.amazonaws.com" and event.action == "AttachRolePolicy" and event.outcome == "success" diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml index f694877d8..433e0fa5b 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -113,7 +113,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.dataset == "aws.cloudtrail" +iam where data_stream.dataset == "aws.cloudtrail" and event.provider == "iam.amazonaws.com" and event.action == "AttachUserPolicy" and event.outcome == "success" diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index 84d8b807e..a03ceb190 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" min_stack_comments = "New entity classification fields added: entity.target.id" min_stack_version = "9.2.0" @@ -90,7 +90,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "AttachRolePolicy" and event.outcome: "success" diff --git a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml index 924fb0794..e2144e9b9 100644 --- a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml +++ b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/22" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -115,7 +115,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "UpdateSAMLProvider" and event.outcome: "success" diff --git a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml index c8929a7f3..1a72a386b 100644 --- a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml +++ b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" min_stack_comments = "New entity classification fields added: entity.target.id" min_stack_version = "9.2.0" @@ -88,7 +88,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "UpdateAssumeRolePolicy" and event.outcome: "success" diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml index 213f759f6..c855272d5 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "sts.amazonaws.com" and event.action: "AssumeRole" and event.outcome: "success" diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml index 43e24f0bc..1d4f13198 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "sts.amazonaws.com" and event.action: "AssumeRole" and event.outcome: "success" diff --git a/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml b/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml index 8a9c66dfc..bd53d8ca7 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/24" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -152,7 +152,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "sts.amazonaws.com" and event.action: "AssumeRoot" and event.outcome: "success" diff --git a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml index da6188b1d..cfe2841e1 100644 --- a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml +++ b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/23" integration = ["aws"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -104,7 +104,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' - event.dataset : "aws.cloudtrail" and + data_stream.dataset : "aws.cloudtrail" and event.provider : "sts.amazonaws.com" and event.action : "AssumeRole" and aws.cloudtrail.user_identity.type : "AssumedRole" and diff --git a/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml b/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml index 275e3f821..42f84494f 100644 --- a/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml +++ b/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/11" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -93,7 +93,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "sns.amazonaws.com" and event.action: "CreateTopic" and event.outcome: "success" diff --git a/rules/integrations/azure/collection_azure_storage_account_blob_public_access_enabled.toml b/rules/integrations/azure/collection_azure_storage_account_blob_public_access_enabled.toml index 7e961e669..f146bd4bf 100644 --- a/rules/integrations/azure/collection_azure_storage_account_blob_public_access_enabled.toml +++ b/rules/integrations/azure/collection_azure_storage_account_blob_public_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/22" integration = ["azure"] maturity = "production" -updated_date = "2025/09/22" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.activitylogs" and +data_stream.dataset: "azure.activitylogs" and event.action: "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE" and event.outcome: "success" and azure.activitylogs.properties.responseBody: *\"allowBlobPublicAccess\"\:true* diff --git a/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml b/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml index 9fe428e0f..277feeb02 100644 --- a/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml +++ b/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -101,7 +101,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:azure.signinlogs +data_stream.dataset:azure.signinlogs and azure.signinlogs.properties.resource_id: ( 00000003-0000-0ff1-ce00-000000000000 or 6a9b9266-8161-4a7b-913a-a9eda19da220 diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml index 7ec1a3dc5..557ff63b6 100644 --- a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml +++ b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/06" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:azure.graphactivitylogs +data_stream.dataset:azure.graphactivitylogs and azure.graphactivitylogs.properties.app_id:* and azure.graphactivitylogs.result_signature:200 and azure.graphactivitylogs.properties.c_idtyp:user diff --git a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml index 319b38ece..f207ceeb2 100644 --- a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml +++ b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/02" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ type = "esql" query = ''' from logs-azure.signinlogs-* metadata _id, _version, _index -| where event.category == "authentication" and event.dataset == "azure.signinlogs" and +| where event.category == "authentication" and data_stream.dataset == "azure.signinlogs" and azure.signinlogs.properties.original_transfer_method == "deviceCodeFlow" // Track events with deviceCode authentication protocol (browser auth) vs polling client diff --git a/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml b/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml index feb44f03e..d5cfc2540 100644 --- a/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml +++ b/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -87,11 +87,11 @@ type = "eql" query = ''' sequence with maxspan=30m -[authentication where event.dataset == "azure.signinlogs" +[authentication where data_stream.dataset == "azure.signinlogs" and azure.signinlogs.category == "ServicePrincipalSignInLogs" and azure.signinlogs.properties.status.error_code == 0 ] by azure.signinlogs.properties.app_id -[any where event.dataset == "azure.activitylogs" +[any where data_stream.dataset == "azure.activitylogs" and azure.activitylogs.operation_name : "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION" and event.outcome : ("Success", "success") ] by azure.activitylogs.identity.claims.appid diff --git a/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml b/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml index 275eddfe8..117314737 100644 --- a/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml +++ b/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/23" integration = ["azure"] maturity = "production" -updated_date = "2025/09/23" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.activitylogs" and +data_stream.dataset: "azure.activitylogs" and azure.activitylogs.operation_name: "MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION" and azure.activitylogs.identity.authorization.evidence.principal_type: "User" and azure.activitylogs.identity.authorization.evidence.role: ( diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml index e8fe5232b..06764bfd8 100644 --- a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml +++ b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -94,7 +94,7 @@ from logs-azure.signinlogs-* | eval Esql.time_window_date_trunc = date_trunc(15 minutes, @timestamp) // Filter relevant failed authentication events with specific error codes -| where event.dataset == "azure.signinlogs" +| where data_stream.dataset == "azure.signinlogs" and event.category == "authentication" and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs") and event.outcome == "failure" diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml index a0016af7c..ebad6768f 100644 --- a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml +++ b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "Changing min stack to 9.1.0, the latest minimum supported version for 9.X releases." min_stack_version = "9.1.0" -updated_date = "2026/01/12" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -94,7 +94,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset: "azure.signinlogs" and event.category: "authentication" +data_stream.dataset: "azure.signinlogs" and event.category: "authentication" and azure.signinlogs.category: ("NonInteractiveUserSignInLogs" or "SignInLogs") and event.outcome: "failure" and azure.signinlogs.properties.authentication_requirement: "singleFactorAuthentication" diff --git a/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml b/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml index 526996afd..6fd7cf9f9 100644 --- a/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml +++ b/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -97,7 +97,7 @@ from logs-azure.signinlogs-* Esql.azure_signinlogs_properties_app_display_name_lower = to_lower(azure.signinlogs.properties.app_display_name), Esql.user_agent_original = user_agent.original -| where event.dataset == "azure.signinlogs" +| where data_stream.dataset == "azure.signinlogs" and event.category == "authentication" and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs") and azure.signinlogs.properties.resource_display_name rlike "(.*)365|SharePoint|Exchange|Teams|Office(.*)" diff --git a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml index 2f571c663..da9e8221c 100644 --- a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ from logs-azure.signinlogs-* metadata _id, _version, _index // Scheduled to run every hour, reviewing events from past hour | where @timestamp > now() - 1 hours - and event.dataset == "azure.signinlogs" + and data_stream.dataset == "azure.signinlogs" and source.ip is not null and azure.signinlogs.identity is not null and to_lower(event.outcome) == "success" diff --git a/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml index a4e8626ee..ee801af25 100644 --- a/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml +++ b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/11" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -89,7 +89,7 @@ from logs-azure.signinlogs-* metadata _id, _version, _index | where // filter for Entra Sign-in Logs - event.dataset == "azure.signinlogs" + data_stream.dataset == "azure.signinlogs" and azure.signinlogs.operation_name == "Sign-in activity" and azure.signinlogs.properties.user_type == "Member" diff --git a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml index 45e975c3b..f5b719aa1 100644 --- a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml +++ b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -89,7 +89,7 @@ query = ''' from logs-azure.platformlogs-* metadata _id, _index // Filter for Azure Key Vault read operations -| where event.dataset == "azure.platformlogs" +| where data_stream.dataset == "azure.platformlogs" and event.action in ( "VaultGet", "KeyGet", diff --git a/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml b/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml index 97cd0520a..0796f9616 100644 --- a/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml +++ b/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset : "azure.platformlogs" and +data_stream.dataset : "azure.platformlogs" and event.outcome: "success" and event.action : ( "VaultGet" or diff --git a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml index c09f67d0a..cdc5cf359 100644 --- a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/12" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Austin Songer"] @@ -71,7 +71,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name: +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name: ( MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION or MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION or diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index e87f96770..bb546674e 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml index a7edb7fe4..491140ad5 100644 --- a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 42fb0d38b..6a0e32c18 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml index 7f1c35aed..c2a83bd3f 100644 --- a/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:azure.activitylogs +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 2216b229f..1c56f1124 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Austin Songer"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml index 4030e9393..8b172e0fb 100644 --- a/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml index a8c8310ea..a3f501fe8 100644 --- a/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Austin Songer"] @@ -79,7 +79,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 80d0f3312..f16bf04db 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml index 6a7f6f9d0..1ce24f343 100644 --- a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Austin Songer"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and event.outcome: "success" ''' diff --git a/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml index 419271760..401ddb47c 100644 --- a/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/22" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Austin Songer"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:( "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION" or "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION") and event.outcome:(Success or success) diff --git a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml index dcdc2b1b8..c72024fb2 100644 --- a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/03" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -106,7 +106,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset : ( +any where data_stream.dataset : ( "azure.activitylogs", "azure.graphactivitylogs", "azure.auditlogs", diff --git a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml index d8c4b0c0a..054deba18 100644 --- a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/02" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -95,7 +95,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:("azure.signinlogs" or "o365.audit") +data_stream.dataset:("azure.signinlogs" or "o365.audit") and ((user_agent.name:"Electron" and user_agent.os.name:"Windows" and user_agent.version:"8.5.1") or user_agent.original:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36") ''' diff --git a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml index 3f143b019..8216140ed 100644 --- a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml +++ b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml b/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml index c70aad563..8d97058e2 100644 --- a/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name: ( "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE" or diff --git a/rules/integrations/azure/execution_compute_vm_command_executed.toml b/rules/integrations/azure/execution_compute_vm_command_executed.toml index ed55167ba..894930103 100644 --- a/rules/integrations/azure/execution_compute_vm_command_executed.toml +++ b/rules/integrations/azure/execution_compute_vm_command_executed.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml index e24a3b4a3..5114c9fab 100644 --- a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml +++ b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/02" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: azure.platformlogs and +data_stream.dataset: azure.platformlogs and event.action: GetBlob and azure.platformlogs.identity.type: SAS and azure.platformlogs.properties.userAgentHeader: AzCopy* and diff --git a/rules/integrations/azure/impact_azure_compute_restore_point_collection_deleted.toml b/rules/integrations/azure/impact_azure_compute_restore_point_collection_deleted.toml index bf171ccb0..66b264bfd 100644 --- a/rules/integrations/azure/impact_azure_compute_restore_point_collection_deleted.toml +++ b/rules/integrations/azure/impact_azure_compute_restore_point_collection_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/13" integration = ["azure"] maturity = "production" -updated_date = "2025/10/13" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: azure.activitylogs and +data_stream.dataset: azure.activitylogs and event.action: "MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE" and event.outcome: (Success or success) ''' diff --git a/rules/integrations/azure/impact_azure_compute_restore_point_collections_deleted.toml b/rules/integrations/azure/impact_azure_compute_restore_point_collections_deleted.toml index 421042be6..be5456403 100644 --- a/rules/integrations/azure/impact_azure_compute_restore_point_collections_deleted.toml +++ b/rules/integrations/azure/impact_azure_compute_restore_point_collections_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/13" integration = ["azure"] maturity = "production" -updated_date = "2025/10/13" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -103,7 +103,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset: azure.activitylogs and +data_stream.dataset: azure.activitylogs and event.action: "MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE" and event.outcome: (Success or success) ''' diff --git a/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml b/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml index be0e1e3a0..dbd05834c 100644 --- a/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml +++ b/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/10" integration = ["azure"] maturity = "production" -updated_date = "2025/10/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: azure.activitylogs and +data_stream.dataset: azure.activitylogs and azure.activitylogs.operation_name: "MICROSOFT.COMPUTE/SNAPSHOTS/DELETE" and azure.activitylogs.properties.status_code: "Accepted" and azure.activitylogs.identity.claims_initiated_by_user.name: * diff --git a/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml b/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml index 6592f3dc2..ac867c9e1 100644 --- a/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml +++ b/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/10" integration = ["azure"] maturity = "production" -updated_date = "2025/10/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset: azure.activitylogs and +data_stream.dataset: azure.activitylogs and azure.activitylogs.operation_name: "MICROSOFT.COMPUTE/SNAPSHOTS/DELETE" and azure.activitylogs.properties.status_code: "Accepted" and azure.activitylogs.identity.claims_initiated_by_user.name: * diff --git a/rules/integrations/azure/impact_azure_storage_account_deletion.toml b/rules/integrations/azure/impact_azure_storage_account_deletion.toml index 880e9a87e..4e9b6b0fe 100644 --- a/rules/integrations/azure/impact_azure_storage_account_deletion.toml +++ b/rules/integrations/azure/impact_azure_storage_account_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/08" integration = ["azure"] maturity = "production" -updated_date = "2025/10/08" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: azure.activitylogs and +data_stream.dataset: azure.activitylogs and azure.activitylogs.operation_name: "MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE" and azure.activitylogs.identity.claims_initiated_by_user.name: * ''' diff --git a/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml b/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml index b3ce7ddb0..72ae8b2d4 100644 --- a/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml +++ b/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/08" integration = ["azure"] maturity = "production" -updated_date = "2025/10/08" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset: azure.activitylogs and +data_stream.dataset: azure.activitylogs and azure.activitylogs.operation_name: "MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE" and azure.activitylogs.identity.claims_initiated_by_user.name: * ''' diff --git a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml index da3cbcf9a..5162b13b9 100644 --- a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml +++ b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.activitylogs" +data_stream.dataset: "azure.activitylogs" and azure.activitylogs.operation_name: MICROSOFT.KEYVAULT/VAULTS/* and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index e1be4f4ec..1a3e54ef8 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Austin Songer"] @@ -71,7 +71,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/impact_resources_resource_group_deletion.toml b/rules/integrations/azure/impact_resources_resource_group_deletion.toml index feea463d8..e583a83dd 100644 --- a/rules/integrations/azure/impact_resources_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resources_resource_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml index c2c69a968..3fa431963 100644 --- a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml +++ b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.activitylogs" +data_stream.dataset: "azure.activitylogs" and azure.activitylogs.operation_name: "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION" and event.outcome: (Success or success) ''' diff --git a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml index 83c4a5b14..1badafc19 100644 --- a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/24" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' - event.dataset:(azure.activitylogs or azure.signinlogs) + data_stream.dataset:(azure.activitylogs or azure.signinlogs) and azure.signinlogs.properties.authentication_protocol:deviceCode and azure.signinlogs.properties.conditional_access_audiences.application_id:29d9ed98-a469-4536-ade2-f981bc1d605e and event.outcome:success or ( diff --git a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml index 4425f39fc..9cb5e978a 100644 --- a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) +data_stream.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml index 4ec0e262a..4ae3c5e77 100644 --- a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -95,7 +95,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.signinlogs" +data_stream.dataset: "azure.signinlogs" and azure.signinlogs.category: "ServicePrincipalSignInLogs" and azure.signinlogs.properties.client_credential_type: "federatedIdentityCredential" and azure.signinlogs.result_signature: "SUCCESS" diff --git a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml index 901507c48..8e9d465b4 100644 --- a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -84,7 +84,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:(azure.activitylogs or azure.signinlogs) +data_stream.dataset:(azure.activitylogs or azure.signinlogs) and ( azure.signinlogs.properties.authentication_protocol:deviceCode or azure.signinlogs.properties.original_transfer_method:deviceCodeFlow or diff --git a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml index 696c20a2a..fda2992e2 100644 --- a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/08" integration = ["azure"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -93,11 +93,11 @@ type = "esql" query = ''' from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _version, _index | where - (event.dataset == "azure.signinlogs" + (data_stream.dataset == "azure.signinlogs" and source.`as`.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK" and azure.signinlogs.properties.session_id is not null) or - (event.dataset == "azure.graphactivitylogs" + (data_stream.dataset == "azure.graphactivitylogs" and source.`as`.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK" and azure.graphactivitylogs.properties.c_sid is not null) @@ -108,12 +108,12 @@ from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _vers Esql.source_ip = source.ip, Esql.@timestamp = @timestamp, Esql.event_type_case = case( - event.dataset == "azure.signinlogs", "signin", - event.dataset == "azure.graphactivitylogs", "graph", + data_stream.dataset == "azure.signinlogs", "signin", + data_stream.dataset == "azure.graphactivitylogs", "graph", "other" ), - Esql.signin_source_asn = case(event.dataset == "azure.signinlogs", source.`as`.organization.name, null), - Esql.graph_source_asn = case(event.dataset == "azure.graphactivitylogs", source.`as`.organization.name, null) + Esql.signin_source_asn = case(data_stream.dataset == "azure.signinlogs", source.`as`.organization.name, null), + Esql.graph_source_asn = case(data_stream.dataset == "azure.graphactivitylogs", source.`as`.organization.name, null) | where Esql.azure_signinlogs_properties_app_id_coalesce not in ( "4354e225-50c9-4423-9ece-2d5afd904870", // Augmentation Loop diff --git a/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml b/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml index d24d17570..36e607d1c 100644 --- a/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Willem D'Haese"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.signinlogs and +data_stream.dataset:azure.signinlogs and ( azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml index 2c633fc89..363a640cd 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/17" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.signinlogs" and +data_stream.dataset: "azure.signinlogs" and event.outcome: "success" and azure.signinlogs.properties.user_type: "Member" and ( diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml index e5ddf8e98..4e3e844f2 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "azure.signinlogs" and +data_stream.dataset: "azure.signinlogs" and event.action: "Sign-in activity" and event.outcome: "success" and ( diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml b/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml index f21da0d51..54ef36acc 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/03" integration = ["azure"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: azure.signinlogs and +data_stream.dataset: azure.signinlogs and azure.signinlogs.properties.authentication_processing_details: *user_impersonation* and azure.signinlogs.properties.authentication_requirement: "singleFactorAuthentication" and azure.signinlogs.properties.token_issuer_type: "AzureAD" and diff --git a/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml index 470aa856c..6b1ddde0c 100644 --- a/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.signinlogs and +data_stream.dataset:azure.signinlogs and azure.signinlogs.properties.app_display_name:"Azure Active Directory PowerShell" and azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success) ''' diff --git a/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml index 6913e3e88..20416dde1 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ type = "eql" query = ''' sequence by azure.identityprotection.properties.user_principal_name with maxspan=10m -[any where event.module == "azure" and event.dataset == "azure.identity_protection"] with runs=2 +[any where event.module == "azure" and data_stream.dataset == "azure.identity_protection"] with runs=2 ''' diff --git a/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml b/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml index 2fd952dda..6fc82e7d2 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -97,7 +97,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: azure.identity_protection and +data_stream.dataset: azure.identity_protection and azure.identityprotection.properties.risk_detail: ( "adminConfirmedSigninCompromised" or "adminConfirmedUserCompromised" diff --git a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml index 9d467e9ed..bf6f4e673 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/29" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2026/01/07" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -93,7 +93,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "azure.identity_protection" and +data_stream.dataset: "azure.identity_protection" and event.action: "User Risk Detection" and azure.identityprotection.properties.activity: "signin" and not azure.identityprotection.properties.risk_state: ( diff --git a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml index e70380965..3f97a4ee0 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/06/02" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2026/01/07" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -90,7 +90,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "azure.identity_protection" and +data_stream.dataset: "azure.identity_protection" and event.action: ("User Risk Detection" or "Risky user") and azure.identityprotection.properties.activity: "user" and not azure.identityprotection.properties.risk_state: ( diff --git a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index d0ac2d950..2ad9e2ee6 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.signinlogs" and event.category: "authentication" +data_stream.dataset: "azure.signinlogs" and event.category: "authentication" and azure.signinlogs.properties.is_interactive: false and azure.signinlogs.properties.user_type: "Member" and not azure.signinlogs.properties.client_app_used: "Browser" diff --git a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml index cb949f7b8..8542f6ca1 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.signinlogs" and event.category: "authentication" +data_stream.dataset: "azure.signinlogs" and event.category: "authentication" and azure.signinlogs.properties.user_type: "Member" and azure.signinlogs.properties.authentication_details.authentication_method: "Password" and not azure.signinlogs.properties.device_detail.browser: * diff --git a/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml b/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml index 981205bc9..15c46a6f4 100644 --- a/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml +++ b/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Austin Songer"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.signinlogs and +data_stream.dataset:azure.signinlogs and azure.signinlogs.properties.risk_state:("confirmedCompromised" or "atRisk") and event.outcome:(success or Success) ''' diff --git a/rules/integrations/azure/initial_access_entra_id_service_principal_signin_unusual_source_asn.toml b/rules/integrations/azure/initial_access_entra_id_service_principal_signin_unusual_source_asn.toml index 7ade8a02c..a6231df40 100644 --- a/rules/integrations/azure/initial_access_entra_id_service_principal_signin_unusual_source_asn.toml +++ b/rules/integrations/azure/initial_access_entra_id_service_principal_signin_unusual_source_asn.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/04/03" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -89,7 +89,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:azure.signinlogs +data_stream.dataset:azure.signinlogs and azure.signinlogs.category:ServicePrincipalSignInLogs and azure.signinlogs.properties.status.error_code:0 and azure.signinlogs.properties.service_principal_id:* diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index 74b30ff9e..d16b7a3ca 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -91,7 +91,7 @@ type = "esql" query = ''' from logs-azure.signinlogs-* metadata _id, _version, _index | where - event.dataset == "azure.signinlogs" and + data_stream.dataset == "azure.signinlogs" and event.outcome == "success" and azure.signinlogs.properties.user_type == "Member" and azure.signinlogs.identity is not null and diff --git a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml index c44ae464c..73652de96 100644 --- a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml +++ b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/02" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.signinlogs" and +data_stream.dataset: "azure.signinlogs" and azure.signinlogs.properties.authentication_protocol: "ropc" and azure.signinlogs.properties.authentication_requirement: "singleFactorAuthentication" and azure.signinlogs.properties.user_type: "Member" and diff --git a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml index ffd21e012..06a6dfea1 100644 --- a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml +++ b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/21" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Willem D'Haese"] @@ -70,7 +70,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "azure.auditlogs" +data_stream.dataset: "azure.auditlogs" and azure.auditlogs.operation_name: "Suspicious activity reported" and azure.auditlogs.properties.additional_details.key: "AuthenticationMethod" and azure.auditlogs.properties.target_resources.*.type: "User" diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml index 030a4b220..cbcfdc258 100644 --- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -92,7 +92,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.graphactivitylogs" +data_stream.dataset: "azure.graphactivitylogs" and event.type: "access" and azure.graphactivitylogs.properties.app_id: * and azure.graphactivitylogs.properties.c_idtyp: "user" diff --git a/rules/integrations/azure/persistence_automation_account_created.toml b/rules/integrations/azure/persistence_automation_account_created.toml index 222286c88..2fa13e71c 100644 --- a/rules/integrations/azure/persistence_automation_account_created.toml +++ b/rules/integrations/azure/persistence_automation_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/persistence_automation_webhook_created.toml b/rules/integrations/azure/persistence_automation_webhook_created.toml index 8329792a5..cd7496bf4 100644 --- a/rules/integrations/azure/persistence_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_automation_webhook_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name: ( "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION" or diff --git a/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml b/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml index f52e088dc..26b7d7f04 100644 --- a/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml +++ b/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) +data_stream.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) ''' diff --git a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml index c4d989ec3..9d1427b1b 100644 --- a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.auditlogs" +data_stream.dataset: "azure.auditlogs" and event.action:"Update conditional access policy" and event.outcome: "success" ''' diff --git a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml index 29ec1157e..862c8d4de 100644 --- a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.auditlogs and +data_stream.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:"Add member to role" and azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: "\"Global Administrator\"" diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml index 399321fc3..188160ecd 100644 --- a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml +++ b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "azure.auditlogs" and +data_stream.dataset: "azure.auditlogs" and (azure.auditlogs.operation_name: "Disable Strong Authentication" or ( azure.auditlogs.operation_name: "User deleted security info" and diff --git a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml index ac59e69ab..7c2594849 100644 --- a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and +data_stream.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:("Add eligible member to role in PIM completed (permanent)" or "Add member to role in PIM completed (timebound)") and azure.auditlogs.properties.target_resources.*.display_name:"Global Administrator" and diff --git a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml index 58d2f4e9d..f0366644a 100644 --- a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) +data_stream.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml index ec43155f2..9f90cb117 100644 --- a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +++ b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ type = "eql" query = ''' sequence by azure.signinlogs.properties.user_id, azure.signinlogs.properties.device_detail.device_id with maxspan=1h [authentication where - event.dataset == "azure.signinlogs" and + data_stream.dataset == "azure.signinlogs" and azure.signinlogs.category == "NonInteractiveUserSignInLogs" and azure.signinlogs.properties.app_id == "29d9ed98-a469-4536-ade2-f981bc1d605e" and azure.signinlogs.properties.incoming_token_type == "refreshToken" and @@ -80,7 +80,7 @@ sequence by azure.signinlogs.properties.user_id, azure.signinlogs.properties.dev azure.signinlogs.result_signature == "SUCCESS" ] [authentication where - event.dataset == "azure.signinlogs" and + data_stream.dataset == "azure.signinlogs" and azure.signinlogs.properties.incoming_token_type == "primaryRefreshToken" and azure.signinlogs.properties.resource_display_name != "Device Registration Service" and azure.signinlogs.result_signature == "SUCCESS" and diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_created.toml b/rules/integrations/azure/persistence_entra_id_service_principal_created.toml index 1aab71c38..f938c5770 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_created.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.auditlogs +data_stream.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) and not azure.auditlogs.identity: ( diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml index d294fd521..770383974 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.auditlogs" +data_stream.dataset: "azure.auditlogs" and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome: "success" ''' diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml index b61fccee5..f5d66ef0f 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/13" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "azure.signinlogs" and +data_stream.dataset: "azure.signinlogs" and azure.signinlogs.properties.app_id : "29d9ed98-a469-4536-ade2-f981bc1d605e" and azure.signinlogs.properties.resource_id : "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9" and azure.signinlogs.category: "NonInteractiveUserSignInLogs" and diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml index d3b95428b..4b5f06f0f 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/13" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ type = "eql" query = ''' sequence by azure.correlation_id with maxspan=5m -[any where event.dataset == "azure.auditlogs" and +[any where data_stream.dataset == "azure.auditlogs" and azure.auditlogs.identity == "Device Registration Service" and azure.auditlogs.operation_name == "Add device" and ( @@ -96,10 +96,10 @@ sequence by azure.correlation_id with maxspan=5m ) and `azure.auditlogs.properties.target_resources.0.modified_properties.1.display_name` == "CloudAccountEnabled" and `azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value` == "[true]"] -[any where event.dataset == "azure.auditlogs" and +[any where data_stream.dataset == "azure.auditlogs" and azure.auditlogs.operation_name == "Add registered users to device" and `azure.auditlogs.properties.target_resources.0.modified_properties.2.new_value` like "*urn:ms-drs:enterpriseregistration.windows.net*"] -[any where event.dataset == "azure.auditlogs" and +[any where data_stream.dataset == "azure.auditlogs" and azure.auditlogs.operation_name == "Add registered owner to device"] ''' diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml index dcc9cdf62..c54c8b4ff 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success) +data_stream.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml index fd050eb7f..1e81b302f 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success) +data_stream.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml index f26e6c6a3..c69f94472 100644 --- a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +++ b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "azure.signinlogs" and +data_stream.dataset: "azure.signinlogs" and event.category: "authentication" and azure.signinlogs.properties.user_type: "Member" and azure.signinlogs.properties.token_protection_status_details.sign_in_session_status: "unbound" and diff --git a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml index fc8d63fc4..bbea4b3eb 100644 --- a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml +++ b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml index b0db08245..9a56e95e0 100644 --- a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml +++ b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: azure.graphactivitylogs and +data_stream.dataset: azure.graphactivitylogs and url.path: *authenticationMethodsPolicy* and http.request.method: "PATCH" and http.response.status_code: 200 diff --git a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml index 757b281be..28f5f3309 100644 --- a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml +++ b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,8 +74,8 @@ type = "eql" query = ''' sequence with maxspan=5m -[any where event.dataset == "azure.identity_protection"] by azure.identityprotection.properties.user_principal_name -[any where event.dataset == "azure.auditlogs" and event.action == "Register device"] by azure.auditlogs.properties.initiated_by.user.userPrincipalName +[any where data_stream.dataset == "azure.identity_protection"] by azure.identityprotection.properties.user_principal_name +[any where data_stream.dataset == "azure.auditlogs" and event.action == "Register device"] by azure.auditlogs.properties.initiated_by.user.userPrincipalName ''' diff --git a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml index 658060292..e5ac6ea70 100644 --- a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml +++ b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/15" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: azure.activitylogs and +data_stream.dataset: azure.activitylogs and event.action: "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" and azure.activitylogs.properties.requestbody.properties.roleDefinitionId: ( diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index fa9e622f4..36adb58d8 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -80,7 +80,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: azure.auditlogs +data_stream.dataset: azure.auditlogs and ( azure.auditlogs.operation_name: "User has elevated their access to User Access Administrator for their Azure Resources" or azure.auditlogs.properties.additional_details.value: "Microsoft.Authorization/elevateAccess/action" diff --git a/rules/integrations/azure/privilege_escalation_entra_id_tenant_domain_federation_via_audit_logs.toml b/rules/integrations/azure/privilege_escalation_entra_id_tenant_domain_federation_via_audit_logs.toml index 86c734cab..aab7eeeaf 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_tenant_domain_federation_via_audit_logs.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_tenant_domain_federation_via_audit_logs.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/03" integration = ["azure"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: azure.auditlogs +data_stream.dataset: azure.auditlogs and azure.auditlogs.properties.category: DirectoryManagement and event.action: ("Set domain authentication" or "Set federation settings on domain") and event.outcome: success diff --git a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml index b400b2509..99401890e 100644 --- a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Austin Songer"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name: +data_stream.dataset:azure.activitylogs and azure.activitylogs.operation_name: ("MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and event.outcome:(Success or success) diff --git a/rules/integrations/azure/resource_development_entra_id_custom_domain_added_and_verified.toml b/rules/integrations/azure/resource_development_entra_id_custom_domain_added_and_verified.toml index a35e82f31..c6ff315a8 100644 --- a/rules/integrations/azure/resource_development_entra_id_custom_domain_added_and_verified.toml +++ b/rules/integrations/azure/resource_development_entra_id_custom_domain_added_and_verified.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/03" integration = ["azure"] maturity = "production" -updated_date = "2026/03/25" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: azure.auditlogs +data_stream.dataset: azure.auditlogs and azure.auditlogs.properties.category: DirectoryManagement and event.action: ("Add unverified domain" or "Verify domain") and event.outcome: success diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 92c6ca0ff..b9cb223e8 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -44,7 +44,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:cyberarkpas.audit and event.type:error +data_stream.dataset:cyberarkpas.audit and event.type:error ''' diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index 5b7dd0fa5..72c353ecf 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" promotion = true -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -44,7 +44,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:cyberarkpas.audit and +data_stream.dataset:cyberarkpas.audit and event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or 308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and not event.type:error diff --git a/rules/integrations/fim/persistence_suspicious_file_modifications.toml b/rules/integrations/fim/persistence_suspicious_file_modifications.toml index c1132aad5..b27e8a9bf 100644 --- a/rules/integrations/fim/persistence_suspicious_file_modifications.toml +++ b/rules/integrations/fim/persistence_suspicious_file_modifications.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["fim"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and +file where host.os.type == "linux" and data_stream.dataset == "fim.event" and event.action == "updated" and file.path : ( // cron, anacron & at "/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.monthly/*", diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 33faa5567..7f4efa808 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success ''' diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 0473d5f4f..d5ff75c91 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 9d21843dd..ae1a0d57f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) +data_stream.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index d6c9d4f6b..1fce8da39 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) +data_stream.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 3e4fed740..af87edec8 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) +data_stream.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 8f5b62bc2..891dae76f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index e31c93cdc..155bfaab8 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index e3ee14773..d303ff392 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 3a37cf5dd..56d880a7b 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index 57cc51606..dfa5561fe 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success +data_stream.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index b73908983..b3f8c680a 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success +data_stream.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 53b59b684..bed582399 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success +data_stream.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 2c3215cd6..7663e10ec 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") +data_stream.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") ''' diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 535b01be8..f7ec57dba 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success +data_stream.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success ''' diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index 54b9bf8b3..6eb74c545 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success ''' diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index 785f4fb25..78e0dbc36 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success ''' diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index 46cffe583..0ba4a8636 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success ''' diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index 941a8c6dc..deb6d28fa 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success ''' diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index 2f75f2ef1..c8267d4bb 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:"storage.buckets.delete" +data_stream.dataset:gcp.audit and event.action:"storage.buckets.delete" ''' diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index 062541f23..610ca4435 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success ''' diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 6d3e2886d..1cc9c99a4 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success ''' diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index c4c1bd548..7f35eeb05 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success ''' diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 176344f20..634f188dc 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success +data_stream.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success ''' diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml index 505b0df63..5ebec7f40 100644 --- a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml +++ b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -configuration where event.dataset == "github.audit" +configuration where data_stream.dataset == "github.audit" and github.category == "protected_branch" and event.type == "change" ''' diff --git a/rules/integrations/github/defense_evasion_secret_scanning_disabled.toml b/rules/integrations/github/defense_evasion_secret_scanning_disabled.toml index dabf519a2..00fde67dc 100644 --- a/rules/integrations/github/defense_evasion_secret_scanning_disabled.toml +++ b/rules/integrations/github/defense_evasion_secret_scanning_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -configuration where event.dataset == "github.audit" and event.type == "change" and event.action == "repository_secret_scanning.disable" +configuration where data_stream.dataset == "github.audit" and event.type == "change" and event.action == "repository_secret_scanning.disable" ''' [[rule.threat]] diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index f480ad701..ea70a81fe 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" +configuration where data_stream.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" ''' diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index 09f3929e3..a50a1cb44 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and +data_stream.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and github.repository_public:false ''' diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index d7660e1b6..7d9c82a27 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" +configuration where data_stream.dataset == "github.audit" and event.action == "integration_installation.create" ''' diff --git a/rules/integrations/github/exfiltration_github_private_repository_turned_public.toml b/rules/integrations/github/exfiltration_github_private_repository_turned_public.toml index 13367f9a5..5770ec857 100644 --- a/rules/integrations/github/exfiltration_github_private_repository_turned_public.toml +++ b/rules/integrations/github/exfiltration_github_private_repository_turned_public.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -configuration where event.dataset == "github.audit" and github.operation_type == "modify" and github.category == "repo" and +configuration where data_stream.dataset == "github.audit" and github.operation_type == "modify" and github.category == "repo" and event.action == "repo.access" and github.previous_visibility == "private" and github.visibility == "public" ''' diff --git a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml index 3832a1524..dd1b2d07c 100644 --- a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml +++ b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ from logs-github.audit-* metadata _id, _index, _version Esql.github_user_agent_values = values(github.user_agent), Esql.user_name_values = values(user.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by user.name diff --git a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml index f93858e67..ed65c8d8b 100644 --- a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml +++ b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"github.audit" and event.action:("git.push" or "git.clone") and github.repository_public:false +data_stream.dataset:"github.audit" and event.action:("git.push" or "git.clone") and github.repository_public:false ''' [[rule.threat]] diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml index 19dff9fd7..804b18e25 100644 --- a/rules/integrations/github/impact_github_repository_deleted.toml +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -configuration where event.module == "github" and event.dataset == "github.audit" and event.action == "repo.destroy" +configuration where event.module == "github" and data_stream.dataset == "github.audit" and event.action == "repo.destroy" ''' diff --git a/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml b/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml index ce69ec2c8..13c75a9f7 100644 --- a/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ from logs-github.audit-* metadata _id, _index, _version Esql.github_pull_request_url_values = values(github.pull_request_url), Esql.user_name_values = values(user.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by user.name diff --git a/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml b/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml index f7975e321..c6e97c86c 100644 --- a/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ from logs-github.audit-* metadata _id, _index, _version Esql.github_reasons_message_value = values(github.reasons.message), Esql.user_name_values = values(user.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by user.name diff --git a/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml b/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml index db556bfbf..6977d7b43 100644 --- a/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml @@ -4,7 +4,7 @@ integration = ["github"] maturity = "production" min_stack_comments = "mv_contains ES|QL function only available post 9.2 in tech preview" min_stack_version = "9.2.0" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ from logs-github.audit-* metadata _id, _index, _version Esql.github_reasons_message_values = values(github.reasons.message), Esql.user_name_values = values(user.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by user.name diff --git a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml index dd4d72e5c..29f63ccf5 100644 --- a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml +++ b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/09" integration = ["github"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "github.audit" and +data_stream.dataset: "github.audit" and event.action: "git.push" and user.name: "github-actions[bot]" ''' diff --git a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml index 6cb779a03..67a7bc803 100644 --- a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml +++ b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/28" integration = ["github"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"github.audit" and +data_stream.dataset:"github.audit" and event.category:"configuration" and event.action: ( "repo.register_self_hosted_runner" or diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index ab17df05e..ec6aad7ec 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" +iam where data_stream.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" ''' diff --git a/rules/integrations/github/persistence_new_pat_created.toml b/rules/integrations/github/persistence_new_pat_created.toml index ca627a7c4..2e10e92a9 100644 --- a/rules/integrations/github/persistence_new_pat_created.toml +++ b/rules/integrations/github/persistence_new_pat_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -configuration where event.dataset == "github.audit" and github.operation_type == "create" and +configuration where data_stream.dataset == "github.audit" and github.operation_type == "create" and github.category == "personal_access_token" and event.action == "personal_access_token.access_granted" ''' diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index b43529671..96cb28f96 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" +iam where data_stream.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" ''' diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 7cab15de6..dc1f732d2 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/24" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -94,7 +94,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" +data_stream.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" and event.category:"iam" and google_workspace.admin.application.name:Drive* ''' diff --git a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml index 8b3387a9e..a0afd2e48 100644 --- a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml +++ b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -94,7 +94,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") +data_stream.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") and google_workspace.event.type:"EMAIL_SETTINGS" and google_workspace.admin.setting.name:("EMAIL_ROUTE" or "MESSAGE_SECURITY_RULE") ''' diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index 464366aa8..1779f9cac 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -91,7 +91,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and +file where data_stream.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and google_workspace.drive.visibility: "people_with_link" and source.user.email == "" and file.extension: ( "token","assig", "pssc", "keystore", "pub", "pgp.asc", "ps1xml", "pem", "gpg.sig", "der", "key", diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index 6306e9be4..5f0f66f4c 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -98,7 +98,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and +data_stream.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and event.action:"CHANGE_APPLICATION_SETTING" and google_workspace.admin.application.name:"Google Workspace Marketplace" and google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true* diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index 987573a35..facd73b27 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -93,7 +93,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS +data_stream.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS ''' diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index c6a45f868..7678e3819 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -93,7 +93,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) +data_stream.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) and google_workspace.admin.new_value:"Disabled" and google_workspace.admin.setting.name:BitLocker* ''' diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml index 625a14b96..38ebc0ff5 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/30" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "google_workspace.token" and event.action: "authorize" and +data_stream.dataset: "google_workspace.token" and event.action: "authorize" and google_workspace.token.scope.data: *Login and google_workspace.token.client.id: *apps.googleusercontent.com ''' diff --git a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml index 2b52d566d..a9aedebc9 100644 --- a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -100,7 +100,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) +data_stream.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) and google_workspace.event.type:"APPLICATION_SETTINGS" and google_workspace.admin.application.name:"Google Workspace Marketplace" and google_workspace.admin.setting.name:"Apps Access Setting Allowlist access" and google_workspace.admin.new_value:"ALLOW_ALL" ''' diff --git a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml index 785c4f8d8..e35ab4594 100644 --- a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml +++ b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2023/01/15" integration = ["google_workspace"] maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -51,7 +51,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: google_workspace.alert +data_stream.dataset: google_workspace.alert ''' diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index 6ca7e8646..836fc780c 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -93,7 +93,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE +data_stream.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE ''' diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 25db10203..cb2fc71ca 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -95,7 +95,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:google_workspace.admin and event.provider:admin +data_stream.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and google_workspace.admin.new_value:false ''' diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index 9ae1d29e3..63bea146c 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -97,7 +97,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.dataset == "google_workspace.admin" and event.action == "ADD_GROUP_MEMBER" and +iam where data_stream.dataset == "google_workspace.admin" and event.action == "ADD_GROUP_MEMBER" and not endsWith(user.target.email, user.target.group.domain) ''' diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index 1b4990aa4..02aa104eb 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -88,7 +88,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER +data_stream.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER ''' diff --git a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml index afa271c9b..511fd2b90 100644 --- a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml +++ b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -99,7 +99,7 @@ type = "eql" query = ''' sequence by source.user.email with maxspan=3m -[file where event.dataset == "google_workspace.drive" and event.action == "copy" and +[file where data_stream.dataset == "google_workspace.drive" and event.action == "copy" and /* Should only match if the object lives in a Drive that is external to the user's GWS organization */ google_workspace.drive.owner_is_team_drive == "false" and google_workspace.drive.copy_type == "external" and @@ -107,7 +107,7 @@ sequence by source.user.email with maxspan=3m /* Google Script, Forms, Sheets and Document can have container-bound scripts */ google_workspace.drive.file.type: ("script", "form", "spreadsheet", "document")] -[any where event.dataset == "google_workspace.token" and event.action == "authorize" and +[any where data_stream.dataset == "google_workspace.token" and event.action == "authorize" and /* Ensures application ID references custom app in Google Workspace and not GCP */ google_workspace.token.client.id : "*apps.googleusercontent.com"] diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index 88bf490d5..443310b35 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -97,7 +97,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION +data_stream.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION ''' diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 5e354b05b..e44ccb568 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/26" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -97,7 +97,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:"google_workspace.login" and event.action:"2sv_disable" +data_stream.dataset:"google_workspace.login" and event.action:"2sv_disable" ''' diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 6d63f4458..088da1397 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -100,7 +100,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" +data_stream.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" and google_workspace.event.type:"DELEGATED_ADMIN_SETTINGS" and google_workspace.admin.role.name : *_ADMIN_ROLE ''' diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml index 0783b41bd..6b772e853 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/12" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -94,7 +94,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:google_workspace.admin +data_stream.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 6ccf74de9..c7ffd4268 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -98,7 +98,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE +data_stream.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE ''' diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index 479e37fcf..201e11c89 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -96,7 +96,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and +data_stream.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and google_workspace.admin.setting.name:( "Password Management - Enforce strong password" or diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index 57d821e33..471e4de25 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -100,7 +100,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) +data_stream.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) ''' diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index 5d52d7026..93306674b 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -99,7 +99,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:"google_workspace.admin" and event.type:change and event.category:iam +data_stream.dataset:"google_workspace.admin" and event.type:change and event.category:iam and google_workspace.event.type:"USER_SETTINGS" and event.action:"MOVE_USER_TO_ORG_UNIT" ''' diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index b86f191f0..e3e1bf419 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -94,7 +94,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false +data_stream.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false ''' diff --git a/rules/integrations/kubernetes/credential_access_get_secrets_access.toml b/rules/integrations/kubernetes/credential_access_get_secrets_access.toml index 96858b147..a2063e10e 100644 --- a/rules/integrations/kubernetes/credential_access_get_secrets_access.toml +++ b/rules/integrations/kubernetes/credential_access_get_secrets_access.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/26" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/04/06" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -60,7 +60,7 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:"secrets" and +data_stream.dataset:"kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:"secrets" and kubernetes.audit.verb:("get" or "list") and user_agent.original:(* and not (*kubernetes/$Format)) ''' diff --git a/rules/integrations/kubernetes/defense_evasion_events_deleted.toml b/rules/integrations/kubernetes/defense_evasion_events_deleted.toml index 106c1158e..bcf481878 100644 --- a/rules/integrations/kubernetes/defense_evasion_events_deleted.toml +++ b/rules/integrations/kubernetes/defense_evasion_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/27" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/01/19" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "delete" and +any where data_stream.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "delete" and kubernetes.audit.objectRef.resource == "events" and kubernetes.audit.stage == "ResponseComplete" ''' diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index d2956e2aa..4630a7f8c 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"kubernetes.audit_logs" and +data_stream.dataset:"kubernetes.audit_logs" and kubernetes.audit.user.username:system\:serviceaccount\:* and kubernetes.audit.annotations.authorization_k8s_io/decision:"forbid" and user_agent.original:(* and not (*kubernetes/$Format or karpenter or csi-secrets-store* or OpenAPI-Generator* or Prometheus* or dashboard* or cilium-agent*)) diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 8d281cecb..c77fe7c05 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/30" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset : "kubernetes.audit_logs" and +data_stream.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.verb:"create" and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") and ( diff --git a/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml b/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml index 0a7e58df7..f66c19be7 100644 --- a/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml +++ b/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "kubernetes.audit_logs" and ( +any where data_stream.dataset == "kubernetes.audit_logs" and ( kubernetes.audit.user.username in ("system:anonymous", "system:unauthenticated") or kubernetes.audit.user.username == null or kubernetes.audit.user.username == "" diff --git a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml index 3d7530a10..83ec206a5 100644 --- a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml +++ b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "create" and +any where data_stream.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "create" and kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid" ''' diff --git a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml index 3ee8f23c9..4ac7e15cb 100644 --- a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml +++ b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"kubernetes.audit_logs" and +data_stream.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and kubernetes.audit.annotations.authorization_k8s_io/decision:"forbid" and user_agent.original:(* and not (*kubernetes/$Format)) diff --git a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml index da9b80ada..8abe1dc83 100644 --- a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml +++ b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and +data_stream.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and user_agent.original:(* and not (*kubernetes/$Format)) and not ( user_agent.original:kubelet* and diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index f49b05dbd..b881749eb 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb in ("get", "create") and +any where data_stream.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb in ("get", "create") and kubernetes.audit.objectRef.subresource == "exec" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted") and kubernetes.audit.level == "Request" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" and not ( diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index 1ac77ed68..3686ac21f 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"kubernetes.audit_logs" and +data_stream.dataset:"kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated" or not *) and user_agent.original:(* and not (*kubernetes/$Format)) and diff --git a/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml b/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml index ac83b601e..29aa441d5 100644 --- a/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml +++ b/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:("clusterrolebindings" or "rolebindings") and +data_stream.dataset: "kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:("clusterrolebindings" or "rolebindings") and kubernetes.audit.verb:"create" and kubernetes.audit.requestObject.roleRef.name:"cluster-admin" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.level:"RequestResponse" and kubernetes.audit.stage:"ResponseComplete" diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index f19fb4cd1..9fcbee8b1 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" +data_stream.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.objectRef.resource:"services" and kubernetes.audit.verb:("create" or "update" or "patch") diff --git a/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml b/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml index 746ad89fe..91a129e27 100644 --- a/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml +++ b/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "kubernetes.audit_logs" and kubernetes.audit.requestObject.spec.serviceAccountName:* and +data_stream.dataset: "kubernetes.audit_logs" and kubernetes.audit.requestObject.spec.serviceAccountName:* and kubernetes.audit.verb:"create" and kubernetes.audit.objectRef.resource:("rolebindings" or "clusterrolebindings") and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" ''' diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index 3a035b3ef..1cfc43c6e 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/20" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: kubernetes.audit_logs and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and +data_stream.dataset: kubernetes.audit_logs and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.verb: create and kubernetes.audit.objectRef.resource: pods and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: ("BPF" or "DAC_READ_SEARCH" or "NET_ADMIN" or "SYS_ADMIN" or "SYS_BOOT" or "SYS_MODULE" or "SYS_PTRACE" or "SYS_RAWIO" or "SYSLOG") and not ( diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index de40e6240..bf4a1dc21 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and +data_stream.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostIPC:true and not kubernetes.audit.requestObject.spec.containers.image: ( diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index abd158abb..2326aa00a 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:kubernetes.audit_logs and kubernetes.audit.annotations.authorization_k8s_io/decision:allow and +data_stream.dataset:kubernetes.audit_logs and kubernetes.audit.annotations.authorization_k8s_io/decision:allow and kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:(create or patch or update) and kubernetes.audit.requestObject.spec.hostNetwork:true and not ( diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index eebe0cdc2..974e52ca7 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and +data_stream.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostPID:true and not kubernetes.audit.requestObject.spec.containers.image: ( diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml index ec7c7a328..6e9cf8732 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and +data_stream.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.volumes.hostPath.path: ( "/" or "/proc" or "/root" or "/var" or "/var/run" or "/var/run/docker.sock" or "/var/run/crio/crio.sock" or diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index dad214db7..c5f2a43f4 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and +data_stream.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:create and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true and not kubernetes.audit.requestObject.spec.containers.image: ( *amazonaws.com/betsie/pipeline/pipeline-core* or mirror.gcr.io/aquasec/trivy* or rancher/mirrored-longhornio-longhorn-instance-manager* or quay.io/calico* or diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml index a2d144b30..1cfca2a99 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -66,11 +66,11 @@ timestamp_override = "event.ingested" type = "eql" query = ''' sequence by user.name with maxspan=5m - [any where event.dataset == "kubernetes.audit_logs" and + [any where data_stream.dataset == "kubernetes.audit_logs" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" and kubernetes.audit.objectRef.resource in ("roles", "clusterroles") and kubernetes.audit.verb in ("create", "update", "patch")] - [any where event.dataset == "kubernetes.audit_logs" and + [any where data_stream.dataset == "kubernetes.audit_logs" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" and kubernetes.audit.objectRef.resource in ("daemonsets", "deployments", "cronjobs") and kubernetes.audit.verb in ("create", "patch") and diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml index e1ff2f63e..2a8cdfcf2 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"kubernetes.audit_logs" and user_agent.original:* and +data_stream.dataset:"kubernetes.audit_logs" and user_agent.original:* and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.objectRef.resource:("daemonsets" or "deployments" or "cronjobs") and kubernetes.audit.verb:("create" or "patch") and diff --git a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml index f869cc079..baa39acb5 100644 --- a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml +++ b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:"kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and +data_stream.dataset:"kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.user.username:( system\:serviceaccount\:* and not ( "system:serviceaccount:kube-system:clusterrole-aggregation-controller" or diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index 22016d916..5f2a76462 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and +data_stream.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.verb : "create" and kubernetes.audit.objectRef.resource : "pods" and kubernetes.audit.objectRef.namespace : "kube-system" and kubernetes.audit.requestObject.spec.serviceAccountName:*controller and not kubernetes.audit.requestObject.spec.containers.image:( diff --git a/rules/integrations/microsoft_exchange_online_message_trace/initial_access_azure_monitor_callback_phishing_email.toml b/rules/integrations/microsoft_exchange_online_message_trace/initial_access_azure_monitor_callback_phishing_email.toml index 56a177328..3cb254e01 100644 --- a/rules/integrations/microsoft_exchange_online_message_trace/initial_access_azure_monitor_callback_phishing_email.toml +++ b/rules/integrations/microsoft_exchange_online_message_trace/initial_access_azure_monitor_callback_phishing_email.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/23" integration = ["microsoft_exchange_online_message_trace"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ query = ''' from logs-microsoft_exchange_online_message_trace.* metadata _id, _version, _index // Filter for Azure Monitor notification emails with financial/billing themed subjects -| where event.dataset == "microsoft_exchange_online_message_trace.log" +| where data_stream.dataset == "microsoft_exchange_online_message_trace.log" and email.from.address == "azure-noreply@microsoft.com" and event.outcome in ("success", "unknown") and email.subject like "*Azure Monitor alert*" diff --git a/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml b/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml index ffbcb3b47..a6c70a997 100644 --- a/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml +++ b/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "o365.audit" and +data_stream.dataset: "o365.audit" and event.provider: "Exchange" and event.action: "MailItemsAccessed" and event.code: "ExchangeItemAggregated" and diff --git a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml index 3b6bdd9ca..db4fa2faa 100644 --- a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml +++ b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/18" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "o365.audit" and +data_stream.dataset: "o365.audit" and event.provider: "Exchange" and event.category: "web" and event.action: "MailItemsAccessed" and diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml index 4dda806d2..97fd4d5ca 100644 --- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/19" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ type = "esql" query = ''' from logs-o365.audit-* metadata _id, _version, _index | where - event.dataset == "o365.audit" and + data_stream.dataset == "o365.audit" and event.provider == "OneDrive" and event.action == "FileDownloaded" and event.outcome == "success" diff --git a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml index 963c73a24..0724f86c0 100644 --- a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml +++ b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/24" integration = ["o365"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "o365.audit" and +data_stream.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and event.action: ("FileDownloaded" or "FileAccessed") and event.outcome: "success" and diff --git a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml index 7f28c7920..f026cc36c 100644 --- a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ sequence by related.user with maxspan=30m o365.audit.UserType: ("0", "2", "3", "10")] // victim source.ip [authentication where event.action == "UserLoggedIn" and o365.audit.ExtendedProperties.RequestType == "OAuth2:Token" and o365.audit.ExtendedProperties.ResultStatusDetail == "Success"] // attacker source.ip to convert oauth code to token -[web where event.dataset == "o365.audit" and event.action == "Add registered users to device."] // user.name is captured in related.user +[web where data_stream.dataset == "o365.audit" and event.action == "Add registered users to device."] // user.name is captured in related.user ''' diff --git a/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml b/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml index 3c6c61ca3..75d36b4da 100644 --- a/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml +++ b/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] @@ -86,7 +86,7 @@ from logs-o365.audit-* Esql.o365_audit_LogonError = o365.audit.LogonError, Esql.o365_audit_ExtendedProperties_RequestType_lower = to_lower(o365.audit.ExtendedProperties.RequestType) | where - event.dataset == "o365.audit" and + data_stream.dataset == "o365.audit" and event.category == "authentication" and event.provider in ("AzureActiveDirectory", "Exchange") and event.action in ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword") and diff --git a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml index 0f2f0e732..86eef1376 100644 --- a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/10" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ from logs-o365.audit-* | eval Esql.time_window_date_trunc = date_trunc(5 minutes, @timestamp) | where - event.dataset == "o365.audit" and + data_stream.dataset == "o365.audit" and event.category == "authentication" and event.provider in ("AzureActiveDirectory", "Exchange") and event.action in ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword") and diff --git a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml index f6a7afa5e..a633ddce8 100644 --- a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ type = "esql" query = ''' from logs-o365.audit-* | where - event.dataset == "o365.audit" and + data_stream.dataset == "o365.audit" and event.action == "UserLoggedIn" and source.ip is not null and o365.audit.UserId is not null and diff --git a/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml index dbdd60ecb..2a5a7149b 100644 --- a/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success +data_stream.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success ''' diff --git a/rules/integrations/o365/defense_evasion_exchange_anti_phish_rule_modification.toml b/rules/integrations/o365/defense_evasion_exchange_anti_phish_rule_modification.toml index c769adc82..f01473411 100644 --- a/rules/integrations/o365/defense_evasion_exchange_anti_phish_rule_modification.toml +++ b/rules/integrations/o365/defense_evasion_exchange_anti_phish_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success +data_stream.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success ''' diff --git a/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml index 004e5b760..c5c8bd6b6 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success +data_stream.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success ''' diff --git a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml index 110b2b65d..b1cb5511d 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success +data_stream.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success ''' diff --git a/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml index ec6089b3a..0c55c49f8 100644 --- a/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success +data_stream.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success ''' diff --git a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml index be7927c5f..8af2dddd0 100644 --- a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml +++ b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success +data_stream.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success ''' diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml index c42fdc662..628139f1b 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success +data_stream.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success ''' diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml index c8313e379..688eda292 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success +data_stream.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success ''' diff --git a/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml index b902db463..2da602409 100644 --- a/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml +++ b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Jamie Lee", "Marco Pedrinazzi"] @@ -83,7 +83,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "o365.audit" and +data_stream.dataset: "o365.audit" and event.action: ("New-InboxRule" or "Set-InboxRule") and event.outcome: "success" and ( o365.audit.Parameters.BodyContainsWords: "\u0000" or diff --git a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml index 36613ec06..7811432e8 100644 --- a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success +data_stream.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success ''' diff --git a/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml b/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml index a059221e9..79793fe18 100644 --- a/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml +++ b/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/25" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -web where event.dataset == "o365.audit" and +web where data_stream.dataset == "o365.audit" and event.provider == "Exchange" and event.action in ("SoftDelete", "HardDelete", "MoveToDeletedItems") and event.outcome == "success" and diff --git a/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml b/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml index 8d5e9e22b..5d830991e 100644 --- a/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml +++ b/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/27" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and +data_stream.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and event.action: "SharingPolicyChanged" and event.outcome: "success" and ( (o365.audit.ModifiedProperties.ShareWithGuests.NewValue: (true or "Enabled") and diff --git a/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml index 9353dbcbe..59b52dd06 100644 --- a/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:MicrosoftTeams and +data_stream.dataset:o365.audit and event.provider:MicrosoftTeams and event.category:web and event.action:TeamsTenantSettingChanged and o365.audit.Name:"Allow sideloading and interaction of custom apps" and o365.audit.NewValue:True and event.outcome:success diff --git a/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml b/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml index 570299d5b..a95c02e75 100644 --- a/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml +++ b/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and +data_stream.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:"Set-CsTenantFederationConfiguration" and o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success ''' diff --git a/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml b/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml index 1e70dfb7f..361347218 100644 --- a/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml +++ b/rules/integrations/o365/discovery_sharepoint_sensitive_term_search.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/24" integration = ["o365"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -web where event.dataset == "o365.audit" and +web where data_stream.dataset == "o365.audit" and event.provider == "SharePoint" and event.action == "SearchQueryPerformed" and event.outcome == "success" and diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml index b236dee5b..b9dacea81 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success +data_stream.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success ''' diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml index 8ab9e702e..646b1d392 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success +data_stream.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success ''' diff --git a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml index 3cd8b3f6c..916cc61d5 100644 --- a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and +data_stream.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and rule.name:("Ransomware activity" or "Potential ransomware activity") and diff --git a/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml index fea069ec8..32430df90 100644 --- a/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/04/10" [rule] author = ["Austin Songer"] @@ -65,7 +65,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success +data_stream.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success ''' diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml index 1655de624..baa701460 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/04" integration = ["o365"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:o365.audit and +data_stream.dataset:o365.audit and event.provider:AzureActiveDirectory and event.action:UserLoggedIn and event.outcome:success and diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml index 10b2649fc..138ea3a71 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/04" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset:o365.audit and +data_stream.dataset:o365.audit and event.provider:AzureActiveDirectory and event.action:UserLoggedIn and event.outcome:success and diff --git a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml index 5c9779e15..91dda1da0 100644 --- a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/24" integration = ["o365"] maturity = "production" -updated_date = "2026/04/03" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -92,7 +92,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "o365.audit" +data_stream.dataset: "o365.audit" and o365.audit.Actor.Type: 5 and event.action: "Consent to application." and event.outcome: "success" diff --git a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml index 72c07c330..dadeabd9f 100644 --- a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "o365.audit" +data_stream.dataset: "o365.audit" and event.action: "UserLoggedIn" and o365.audit.ExtendedProperties.RequestType: "OAuth2:Authorize" and o365.audit.ExtendedProperties.ResultStatusDetail: "Redirect" diff --git a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml index f448ef4d4..b2ea9cd96 100644 --- a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml +++ b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -88,7 +88,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:o365.audit +data_stream.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.ErrorNumber:( diff --git a/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml index f460f945f..d89563b6f 100644 --- a/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/12" integration = ["o365"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" +data_stream.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" ''' diff --git a/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml index 15f545815..bd972e1c2 100644 --- a/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/04/10" [rule] author = ["Austin Songer"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success +data_stream.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success ''' diff --git a/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml index 29d2607f6..1e27f97ac 100644 --- a/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml +++ b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2026/02/25" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected +data_stream.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected ''' diff --git a/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml index 68a66be67..7ad3aee1a 100644 --- a/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml +++ b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2026/02/25" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected +data_stream.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected ''' diff --git a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml index 6a188c194..46d97f9da 100644 --- a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit +data_stream.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and event.outcome: "success" diff --git a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml index bb5accb60..a2c90a067 100644 --- a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success +data_stream.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success ''' diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml index 268f01b50..ca33fe1eb 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "o365.audit" and +data_stream.dataset: "o365.audit" and event.provider: "Exchange" and event.outcome: "success" and not o365.audit.UserType : (3 or 4) and diff --git a/rules/integrations/o365/persistence_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml index 7e3c706e1..d7075e1c0 100644 --- a/rules/integrations/o365/persistence_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and +data_stream.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and event.category:web and event.action:"Set-CsTeamsClientConfiguration" and o365.audit.Parameters.AllowGuestUser:True and event.outcome:success ''' diff --git a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml index 51e1c706f..de68b4256 100644 --- a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Austin Songer"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or +data_stream.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or "Set-MsolDomainFederationSettings" or "Add-FederatedDomain" or "New-AcceptedDomain" or "Remove-AcceptedDomain" or "Remove-FederatedDomain") and event.outcome:success ''' diff --git a/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml b/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml index e354d1a2b..9525f6d07 100644 --- a/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml +++ b/rules/integrations/o365/privilege_escalation_sharepoint_site_collection_admin_added.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/02" integration = ["o365"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit +data_stream.dataset:o365.audit and event.provider:(SharePoint or OneDrive) and event.category:web and event.action:SiteCollectionAdminAdded diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 39689dd40..d5931e081 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:user.mfa.attempt_bypass +data_stream.dataset:okta.system and event.action:user.mfa.attempt_bypass ''' diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index e7ef9688e..eca04ac99 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset:okta.system and event.action:user.account.lock +data_stream.dataset:okta.system and event.action:user.account.lock ''' diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index 9480d1709..e93d1bdfd 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset:okta.system +data_stream.dataset:okta.system and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:* and okta.event_type:user.authentication* and okta.security_context.is_proxy:true ''' diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml index 46a0131cc..2b662d860 100644 --- a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml +++ b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/08" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ type = "esql" query = ''' from logs-okta* | where - event.dataset == "okta.system" and + data_stream.dataset == "okta.system" and not event.action in ( "policy.evaluate_sign_on", "user.session.start", diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml index 223874210..c3692f948 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -89,7 +89,7 @@ type = "esql" query = ''' from logs-okta* | where - event.dataset == "okta.system" and + data_stream.dataset == "okta.system" and (event.action like "user.authentication.*" or event.action == "user.session.start") and okta.debug_context.debug_data.dt_hash != "-" and okta.outcome.reason == "INVALID_CREDENTIALS" diff --git a/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml b/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml index c44cebb4c..6f34edb33 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ type = "esql" query = ''' FROM logs-okta.system-* METADATA _id, _version, _index | WHERE - event.dataset == "okta.system" + data_stream.dataset == "okta.system" AND (event.action LIKE "user.authentication.*" OR event.action == "user.session.start") AND okta.outcome.reason IN ("INVALID_CREDENTIALS", "LOCKED_OUT") AND okta.actor.alternate_id IS NOT NULL diff --git a/rules/integrations/okta/credential_access_okta_brute_force_multi_source.toml b/rules/integrations/okta/credential_access_okta_brute_force_multi_source.toml index fa50b1ab8..3633461fb 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_multi_source.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_multi_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/19" integration = ["okta"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ type = "esql" query = ''' FROM logs-okta.system-* METADATA _id, _version, _index -| WHERE event.dataset == "okta.system" +| WHERE data_stream.dataset == "okta.system" AND (event.action LIKE "user.authentication.*" OR event.action == "user.session.start") AND okta.outcome.reason IN ("INVALID_CREDENTIALS", "LOCKED_OUT") AND okta.actor.alternate_id IS NOT NULL diff --git a/rules/integrations/okta/credential_access_okta_credential_stuffing_single_source.toml b/rules/integrations/okta/credential_access_okta_credential_stuffing_single_source.toml index c25881880..8995d85e5 100644 --- a/rules/integrations/okta/credential_access_okta_credential_stuffing_single_source.toml +++ b/rules/integrations/okta/credential_access_okta_credential_stuffing_single_source.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ type = "esql" query = ''' FROM logs-okta.system-* METADATA _id, _version, _index | WHERE - event.dataset == "okta.system" + data_stream.dataset == "okta.system" AND (event.action LIKE "user.authentication.*" OR event.action == "user.session.start") AND okta.outcome.reason IN ("INVALID_CREDENTIALS", "LOCKED_OUT") AND okta.actor.alternate_id IS NOT NULL diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index dcb805b61..89e314178 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ type = "eql" query = ''' sequence by okta.actor.id with maxspan=10m [ any - where event.dataset == "okta.system" + where data_stream.dataset == "okta.system" and ( okta.event_type == "user.mfa.okta_verify.deny_push" or ( @@ -86,7 +86,7 @@ sequence by okta.actor.id with maxspan=10m ] with runs=5 until [ any - where event.dataset == "okta.system" + where data_stream.dataset == "okta.system" and okta.event_type in ( "user.authentication.sso", "user.authentication.auth_via_mfa", diff --git a/rules/integrations/okta/credential_access_okta_password_spray_multi_source.toml b/rules/integrations/okta/credential_access_okta_password_spray_multi_source.toml index ff8620c52..73880429e 100644 --- a/rules/integrations/okta/credential_access_okta_password_spray_multi_source.toml +++ b/rules/integrations/okta/credential_access_okta_password_spray_multi_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/19" integration = ["okta"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ type = "esql" query = ''' FROM logs-okta.system-* METADATA _id, _version, _index | WHERE - event.dataset == "okta.system" + data_stream.dataset == "okta.system" AND (event.action LIKE "user.authentication.*" OR event.action == "user.session.start") AND okta.outcome.reason IN ("INVALID_CREDENTIALS", "LOCKED_OUT") AND okta.actor.alternate_id IS NOT NULL diff --git a/rules/integrations/okta/credential_access_okta_password_spray_single_source.toml b/rules/integrations/okta/credential_access_okta_password_spray_single_source.toml index 15eb692f8..e5bf7837e 100644 --- a/rules/integrations/okta/credential_access_okta_password_spray_single_source.toml +++ b/rules/integrations/okta/credential_access_okta_password_spray_single_source.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["okta"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ type = "esql" query = ''' FROM logs-okta.system-* METADATA _id, _version, _index | WHERE - event.dataset == "okta.system" + data_stream.dataset == "okta.system" AND (event.action LIKE "user.authentication.*" OR event.action == "user.session.start") AND okta.outcome.reason IN ("INVALID_CREDENTIALS", "LOCKED_OUT") AND okta.actor.alternate_id IS NOT NULL diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml index e9241ff30..60b9cae2d 100644 --- a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ type = "eql" query = ''' sequence by okta.actor.id with maxspan=10m [ any - where event.dataset == "okta.system" + where data_stream.dataset == "okta.system" and ( okta.event_type == "user.mfa.okta_verify.deny_push" or ( @@ -88,7 +88,7 @@ sequence by okta.actor.id with maxspan=10m ) ] with runs=5 [ any - where event.dataset == "okta.system" + where data_stream.dataset == "okta.system" and okta.event_type in ( "user.authentication.sso", "user.authentication.auth_via_mfa", diff --git a/rules/integrations/okta/credential_access_okta_successful_login_after_credential_attack.toml b/rules/integrations/okta/credential_access_okta_successful_login_after_credential_attack.toml index e060a3abc..a150f4621 100644 --- a/rules/integrations/okta/credential_access_okta_successful_login_after_credential_attack.toml +++ b/rules/integrations/okta/credential_access_okta_successful_login_after_credential_attack.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/12" integration = ["okta"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -100,7 +100,7 @@ FROM .alerts-security.*, logs-okta.system-* METADATA _id, _version, _index ) OR ( // Successful Okta authentication events - event.dataset == "okta.system" + data_stream.dataset == "okta.system" AND (event.action LIKE "user.authentication.*" OR event.action == "user.session.start") AND okta.outcome.result == "SUCCESS" AND okta.actor.alternate_id IS NOT NULL @@ -123,7 +123,7 @@ FROM .alerts-security.*, logs-okta.system-* METADATA _id, _version, _index ), 1, 0 ), Esql.is_success_login = CASE( - event.dataset == "okta.system" + data_stream.dataset == "okta.system" AND okta.outcome.result == "SUCCESS", 1, 0 ), Esql.attack_ip = CASE( @@ -136,7 +136,7 @@ FROM .alerts-security.*, logs-okta.system-* METADATA _id, _version, _index ), Esql.source_ip, null ), Esql.login_ip = CASE( - event.dataset == "okta.system" + data_stream.dataset == "okta.system" AND okta.outcome.result == "SUCCESS", Esql.source_ip, null ), Esql.attack_ts = CASE( @@ -149,7 +149,7 @@ FROM .alerts-security.*, logs-okta.system-* METADATA _id, _version, _index ), @timestamp, null ), Esql.login_ts = CASE( - event.dataset == "okta.system" + data_stream.dataset == "okta.system" AND okta.outcome.result == "SUCCESS", @timestamp, null ) // Aggregate by user (catches IP rotation: spray from IP A, login from IP B) diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index ac2b3ea1a..500b6a4de 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:user.session.impersonation.initiate +data_stream.dataset:okta.system and event.action:user.session.impersonation.initiate ''' diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 752ebc8c2..40f723c78 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:zone.deactivate +data_stream.dataset:okta.system and event.action:zone.deactivate ''' diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 7f1bcaf2c..8bcddf85d 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:zone.delete +data_stream.dataset:okta.system and event.action:zone.delete ''' diff --git a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml index 952fb62b7..f76d4706c 100644 --- a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml +++ b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: okta.system +data_stream.dataset: okta.system and event.action: "app.oauth2.as.token.grant" and okta.actor.type: "PublicClientApp" and okta.debug_context.debug_data.flattened.grantType: "client_credentials" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index b1071d0eb..2254ada1c 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:policy.lifecycle.deactivate +data_stream.dataset:okta.system and event.action:policy.lifecycle.deactivate ''' diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index a62d5f3a5..665dcdaf6 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:policy.rule.deactivate +data_stream.dataset:okta.system and event.action:policy.rule.deactivate ''' diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index b255db542..7cfd831eb 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:policy.lifecycle.delete +data_stream.dataset:okta.system and event.action:policy.lifecycle.delete ''' diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index b11ae8c91..1a47f8ff8 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:policy.rule.delete +data_stream.dataset:okta.system and event.action:policy.rule.delete ''' diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 4c429ca0f..377888bbc 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) +data_stream.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) ''' diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index e2e4e61c6..11747ff06 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:policy.lifecycle.update +data_stream.dataset:okta.system and event.action:policy.lifecycle.update ''' diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index 72e4c5ff1..1c4423099 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:policy.rule.update +data_stream.dataset:okta.system and event.action:policy.rule.update ''' diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 3dba3d705..c23e889e0 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset:okta.system and +data_stream.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index f3129fa16..b3222e159 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:system.api_token.revoke +data_stream.dataset:okta.system and event.action:system.api_token.revoke ''' diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index ce1e17c9c..d01c8df78 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:application.lifecycle.deactivate +data_stream.dataset:okta.system and event.action:application.lifecycle.deactivate ''' diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index e99fc028b..0684e6c12 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:application.lifecycle.delete +data_stream.dataset:okta.system and event.action:application.lifecycle.delete ''' diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 3d7fbd734..ce557fd77 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:application.lifecycle.update +data_stream.dataset:okta.system and event.action:application.lifecycle.update ''' diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 91960faaa..090b46025 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) +data_stream.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) ''' diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index 9c026e9aa..146e61eed 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:okta.system and +data_stream.dataset:okta.system and okta.event_type: ( user.session.start or user.authentication.verify or diff --git a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml index 80b6b71f2..489034334 100644 --- a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml +++ b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/07" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Austin Songer"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.category:authentication and +data_stream.dataset:okta.system and event.category:authentication and okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:"FastPass declined phishing attempt" ''' diff --git a/rules/integrations/okta/initial_access_okta_suspicious_activity_after_proxy_authentication.toml b/rules/integrations/okta/initial_access_okta_suspicious_activity_after_proxy_authentication.toml index d901fb084..a43fd4a4f 100644 --- a/rules/integrations/okta/initial_access_okta_suspicious_activity_after_proxy_authentication.toml +++ b/rules/integrations/okta/initial_access_okta_suspicious_activity_after_proxy_authentication.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["okta"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,9 +78,9 @@ type = "eql" query = ''' sequence by user.name with maxspan=30m - [any where event.dataset == "okta.system" and + [any where data_stream.dataset == "okta.system" and kibana.alert.rule.rule_id == "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd"] - [any where event.dataset == "okta.system" and + [any where data_stream.dataset == "okta.system" and kibana.alert.rule.rule_id != null and kibana.alert.severity != "low" and kibana.alert.rule.rule_id not in ( diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 701332ba9..ff880f698 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic", "Austin Songer"] @@ -71,7 +71,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt +data_stream.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt ''' diff --git a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml index 4bfb17917..5dbebfd5c 100644 --- a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml +++ b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ type = "esql" query = ''' from logs-okta* | where - event.dataset == "okta.system" and + data_stream.dataset == "okta.system" and (event.action like "user.authentication.*" or event.action == "user.session.start") and okta.security_context.is_proxy != true and okta.actor.id != "unknown" and diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index 8589d5de2..0ab167873 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "okta.system" +data_stream.dataset: "okta.system" and okta.authentication_context.issuer.id: (* and not "Okta") and ( event.action: ( diff --git a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml index b44a3a4bf..6fd29ea9f 100644 --- a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml +++ b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/07" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "okta.system" +data_stream.dataset: "okta.system" and event.action: "user.authentication.sso" and event.outcome: "success" and okta.client.device: ("Unknown" or "unknown") diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 3cee4601d..7c903420b 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser +data_stream.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser ''' diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index 25a9fa908..6c4d266d2 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset:okta.system +data_stream.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:* and not (okta.actor.id: okta* or okta.actor.display_name: okta*) diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml index efa11cf5d..9c4eb80aa 100644 --- a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" promotion = true -updated_date = "2025/07/02" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) +data_stream.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) ''' diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 2d50aeeea..dc726b873 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:group.privilege.grant +data_stream.dataset:okta.system and event.action:group.privilege.grant ''' diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index ae9abcc15..70d74fa32 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system +data_stream.dataset:okta.system and event.action: (user.account.privilege.grant or group.privilege.grant) and okta.debug_context.debug_data.flattened.privilegeGranted: *administrator* ''' diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 110fba316..661eae3cf 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:system.api_token.create +data_stream.dataset:okta.system and event.action:system.api_token.create ''' diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 7b826d1c1..dd707b5a2 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:user.mfa.factor.reset_all +data_stream.dataset:okta.system and event.action:user.mfa.factor.reset_all ''' diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index 04ca3459a..fc43c7282 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -77,9 +77,9 @@ type = "eql" query = ''' sequence by okta.target.id with maxspan=12h - [any where event.dataset == "okta.system" and okta.event_type in ("user.mfa.factor.deactivate", "user.mfa.factor.reset_all") + [any where data_stream.dataset == "okta.system" and okta.event_type in ("user.mfa.factor.deactivate", "user.mfa.factor.reset_all") and okta.outcome.reason != "User reset SECURITY_QUESTION factor" and okta.outcome.result == "SUCCESS"] - ![any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.activate"] + ![any where data_stream.dataset == "okta.system" and okta.event_type == "user.mfa.factor.activate"] ''' diff --git a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml index 96b1ea065..3c6561b02 100644 --- a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml +++ b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" +data_stream.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" ''' diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index c9f052895..f9cfb35d8 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) +data_stream.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) ''' diff --git a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml index b0edb92b5..c98257da5 100644 --- a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml +++ b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/09" integration = ["endpoint", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -80,8 +80,8 @@ type = "eql" query = ''' sequence by user.name with maxspan=12h [any where host.os.type == "windows" and signal.rule.threat.tactic.name == "Credential Access"] - [any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.update"] - [any where event.dataset == "okta.system" and okta.event_type: ("user.session.start", "user.authentication*")] + [any where data_stream.dataset == "okta.system" and okta.event_type == "user.mfa.factor.update"] + [any where data_stream.dataset == "okta.system" and okta.event_type: ("user.session.start", "user.authentication*")] ''' diff --git a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml index a874dbd67..04dd72cf9 100644 --- a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml +++ b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -138,7 +138,7 @@ from logs-endpoint.events.network-* metadata _id, _index, _version destination.ip, agent.id, host.name, - event.dataset, + data_stream.dataset, data_stream.namespace | stats @@ -146,7 +146,7 @@ from logs-endpoint.events.network-* metadata _id, _index, _version Esql.agent_id_count_distinct = count_distinct(agent.id), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by process.executable | where diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index a300abfe2..aa46feffb 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ from logs-endpoint.events.process* metadata _id, _index, _version process.parent.command_line, process.command_line, user.name, - event.dataset, + data_stream.dataset, data_stream.namespace, process.parent.executable, agent.id, @@ -96,7 +96,7 @@ from logs-endpoint.events.process* metadata _id, _index, _version Esql.process_command_line_values = values(process.command_line), Esql.process_parent_command_line_values = values(process.parent.command_line), Esql.user_name_values = values(user.name), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by process.parent.executable, agent.id, user.id, Esql.time_window_date_trunc diff --git a/rules/linux/credential_access_potential_password_spraying_attack.toml b/rules/linux/credential_access_potential_password_spraying_attack.toml index 711c7bd6f..b7f9010ab 100644 --- a/rules/linux/credential_access_potential_password_spraying_attack.toml +++ b/rules/linux/credential_access_potential_password_spraying_attack.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/24" integration = ["system"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ from logs-system.auth-* metadata _id, _index, _version source.ip, process.name, user.name, - event.dataset, + data_stream.dataset, data_stream.namespace, agent.id, user.id, @@ -95,7 +95,7 @@ from logs-system.auth-* metadata _id, _index, _version Esql.user_name_count_distinct = count_distinct(user.name), Esql.user_name_values = values(user.name), Esql.process_name_values = values(process.name), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by Esql.time_window_date_trunc, source.ip diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml index d0fee31c9..3f0e0cabd 100644 --- a/rules/linux/defense_evasion_base64_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -146,7 +146,7 @@ from logs-endpoint.events.process-* metadata _id, _index, _version process.parent.command_line, agent.id, host.name, - event.dataset, + data_stream.dataset, data_stream.namespace | stats Esql.event_count = count(), @@ -155,7 +155,7 @@ from logs-endpoint.events.process-* metadata _id, _index, _version Esql.agent_id_count_distinct = count_distinct(agent.id), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by process.name, process.command_line | where diff --git a/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml index 123057b6a..1b69e4dee 100644 --- a/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml +++ b/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -131,7 +131,7 @@ from logs-endpoint.events.network-* metadata _id, _index, _version source.ip, agent.id, host.name, - event.dataset, + data_stream.dataset, data_stream.namespace | stats @@ -141,7 +141,7 @@ from logs-endpoint.events.network-* metadata _id, _index, _version Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), Esql.source_ip_values = values(source.ip), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by process.executable, destination.ip | where diff --git a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml index a7db2fe66..3c6541bfb 100644 --- a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml +++ b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -122,7 +122,7 @@ from logs-endpoint.events.network-* metadata _id, _index, _version destination.ip, agent.id, host.name, - event.dataset, + data_stream.dataset, data_stream.namespace | stats @@ -131,7 +131,7 @@ from logs-endpoint.events.network-* metadata _id, _index, _version Esql.agent_id_count_distinct = count_distinct(agent.id), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by process.executable diff --git a/rules/linux/execution_executable_stack_execution.toml b/rules/linux/execution_executable_stack_execution.toml index 35222dec4..96ef0f6a7 100644 --- a/rules/linux/execution_executable_stack_execution.toml +++ b/rules/linux/execution_executable_stack_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["system"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -50,7 +50,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -host.os.type:"linux" and event.dataset:"system.syslog" and process.name:"kernel" and +host.os.type:"linux" and data_stream.dataset:"system.syslog" and process.name:"kernel" and message:"started with executable stack" ''' note = """## Triage and analysis diff --git a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml index 51dce3af6..36b0010f9 100644 --- a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml +++ b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -143,7 +143,7 @@ from logs-endpoint.events.process-* metadata _id, _index, _version process.executable, agent.id, host.name, - event.dataset, + data_stream.dataset, data_stream.namespace | stats @@ -151,7 +151,7 @@ from logs-endpoint.events.process-* metadata _id, _index, _version Esql.agent_id_count_distinct = count_distinct(agent.id), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by process.executable, process.parent.executable diff --git a/rules/linux/impact_potential_bruteforce_malware_infection.toml b/rules/linux/impact_potential_bruteforce_malware_infection.toml index 5ce3b6d80..f9e0112da 100644 --- a/rules/linux/impact_potential_bruteforce_malware_infection.toml +++ b/rules/linux/impact_potential_bruteforce_malware_infection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -136,7 +136,7 @@ from logs-endpoint.events.network-* metadata _id, _index, _version process.executable, agent.id, host.name, - event.dataset, + data_stream.dataset, data_stream.namespace | stats @@ -144,7 +144,7 @@ from logs-endpoint.events.network-* metadata _id, _index, _version Esql.agent_id_count_distinct = count_distinct(agent.id), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by process.executable, destination.port diff --git a/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml b/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml index 89e8ba1f7..abedeeda1 100644 --- a/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml +++ b/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -101,7 +101,7 @@ sequence by agent.id with maxspan=10s http.request.method == "POST" and http.request.body.content like "*WebKitFormBoundary*" and url.path like~ "*upload*.action"] - [file where event.dataset == "endpoint.events.file" and + [file where data_stream.dataset == "endpoint.events.file" and host.os.type == "linux" and event.action == "creation" and process.name == "java" and diff --git a/rules/linux/persistence_bpf_probe_write_user.toml b/rules/linux/persistence_bpf_probe_write_user.toml index 7e66f75cc..9efce773d 100644 --- a/rules/linux/persistence_bpf_probe_write_user.toml +++ b/rules/linux/persistence_bpf_probe_write_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/28" integration = ["system"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -87,7 +87,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:"bpf_probe_write_user" +host.os.type:linux and data_stream.dataset:"system.syslog" and process.name:kernel and message:"bpf_probe_write_user" ''' [[rule.threat]] diff --git a/rules/linux/persistence_rc_local_error_via_syslog.toml b/rules/linux/persistence_rc_local_error_via_syslog.toml index a40049fd6..7c003a400 100644 --- a/rules/linux/persistence_rc_local_error_via_syslog.toml +++ b/rules/linux/persistence_rc_local_error_via_syslog.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/21" integration = ["system"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -91,7 +91,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and +host.os.type:linux and data_stream.dataset:system.syslog and process.name:rc.local and message:("Connection refused" or "No such file or directory" or "command not found") ''' diff --git a/rules/linux/persistence_tainted_kernel_module_load.toml b/rules/linux/persistence_tainted_kernel_module_load.toml index 469573741..98cd9d300 100644 --- a/rules/linux/persistence_tainted_kernel_module_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/23" integration = ["system"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and +host.os.type:linux and data_stream.dataset:"system.syslog" and process.name:kernel and message:"module verification failed: signature and/or required key missing - tainting kernel" ''' diff --git a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml index da02eaa00..60bc06ed1 100644 --- a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -88,7 +88,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and +host.os.type:linux and data_stream.dataset:"system.syslog" and process.name:kernel and message:"loading out-of-tree module taints kernel." ''' diff --git a/rules/linux/persistence_web_server_sus_child_spawned.toml b/rules/linux/persistence_web_server_sus_child_spawned.toml index 96ac48f1a..d8e7beb12 100644 --- a/rules/linux/persistence_web_server_sus_child_spawned.toml +++ b/rules/linux/persistence_web_server_sus_child_spawned.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -165,7 +165,7 @@ from logs-endpoint.events.process-* metadata _id, _index, _version process.parent.executable, agent.id, host.name, - event.dataset, + data_stream.dataset, data_stream.namespace | stats @@ -173,7 +173,7 @@ from logs-endpoint.events.process-* metadata _id, _index, _version Esql.agent_id_count_distinct = count_distinct(agent.id), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by process.executable, process.working_directory, process.parent.executable diff --git a/rules/linux/persistence_web_server_sus_command_execution.toml b/rules/linux/persistence_web_server_sus_command_execution.toml index 6306b468f..1ba8a2f90 100644 --- a/rules/linux/persistence_web_server_sus_command_execution.toml +++ b/rules/linux/persistence_web_server_sus_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -150,7 +150,7 @@ from logs-endpoint.events.process-* metadata _id, _index, _version process.parent.executable, agent.id, host.name, - event.dataset, + data_stream.dataset, data_stream.namespace | stats @@ -158,7 +158,7 @@ from logs-endpoint.events.process-* metadata _id, _index, _version Esql.agent_id_count_distinct = count_distinct(agent.id), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), - Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_dataset_values = values(data_stream.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by process.command_line, process.working_directory, process.parent.executable diff --git a/rules/network/collection_fortigate_config_download.toml b/rules/network/collection_fortigate_config_download.toml index afe6bfcc8..99e4fe06f 100644 --- a/rules/network/collection_fortigate_config_download.toml +++ b/rules/network/collection_fortigate_config_download.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "fortinet_fortigate.log" and +any where data_stream.dataset == "fortinet_fortigate.log" and event.code == "0100032095" and fortinet.firewall.action == "download" ''' diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index 9f9657187..46d421212 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw", "fortinet_fortigate", "sonicwall_firewall", "suricata"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -91,7 +91,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset:(fortinet_fortigate.log or network_traffic.flow +(data_stream.dataset:(fortinet_fortigate.log or network_traffic.flow or sonicwall_firewall.log or suricata.eve or panw.panos) or event.category:(network or network_traffic)) and event.type:(connection and not end) and not event.action:( diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 9e8db1efd..821a5453f 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ type = "query" query = ''' ((event.category: (network OR network_traffic) AND type: (tls OR http)) - OR event.dataset: (network_traffic.tls OR network_traffic.http) + OR data_stream.dataset: (network_traffic.tls OR network_traffic.http) ) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/ ''' diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 10408f201..7281b360f 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/05" integration = ["network_traffic"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: network_traffic.tls or event.category: (network or network_traffic)) +(data_stream.dataset: network_traffic.tls or event.category: (network or network_traffic)) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C) diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index 3b369f04e..eab1fde7f 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: (network_traffic.http or network_traffic.tls) or +(data_stream.dataset: (network_traffic.http or network_traffic.tls) or (event.category: (network or network_traffic) and network.protocol: http)) and (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and not destination.ip:( diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 3a265f93e..04a176ea3 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: (network_traffic.tls OR network_traffic.http) OR +(data_stream.dataset: (network_traffic.tls OR network_traffic.http) OR (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us ''' diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 38b3cbc3b..4ce9c3939 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: (network_traffic.tls OR network_traffic.http) OR +(data_stream.dataset: (network_traffic.tls OR network_traffic.http) OR (event.category: (network OR network_traffic) AND network.protocol: http)) AND network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443) diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index e7177215b..ba1eb0ba7 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 +(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 ''' note = """## Triage and analysis diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 6cde29db3..a5ddf13d3 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 +(data_stream.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 ''' note = """## Triage and analysis diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 090339a81..2d2c5b59e 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -38,8 +38,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and - network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and +(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and + network.transport:tcp and (destination.port:3389 or data_stream.dataset:zeek.rdp) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index c32898e1b..533ce03b0 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and +(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:( 10.0.0.0/8 or diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 3c29ae4bf..c67271629 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and +(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:( 10.0.0.0/8 or diff --git a/rules/network/defense_evasion_fortigate_overly_permissive_firewall_policy.toml b/rules/network/defense_evasion_fortigate_overly_permissive_firewall_policy.toml index d86d0f462..26343b6ba 100644 --- a/rules/network/defense_evasion_fortigate_overly_permissive_firewall_policy.toml +++ b/rules/network/defense_evasion_fortigate_overly_permissive_firewall_policy.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "fortinet_fortigate.log" and +any where data_stream.dataset == "fortinet_fortigate.log" and event.code == "0100044547" and fortinet.firewall.cfgpath == "firewall.policy" and fortinet.firewall.action in ("Add", "Edit") and diff --git a/rules/network/initial_access_fortigate_admin_login_multi_srcip.toml b/rules/network/initial_access_fortigate_admin_login_multi_srcip.toml index 79cbe5309..32f9c823f 100644 --- a/rules/network/initial_access_fortigate_admin_login_multi_srcip.toml +++ b/rules/network/initial_access_fortigate_admin_login_multi_srcip.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/29" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -89,7 +89,7 @@ type = "esql" query = ''' FROM logs-fortinet_fortigate.*, filebeat-* metadata _id -| WHERE event.dataset == "fortinet_fortigate.log" and +| WHERE data_stream.dataset == "fortinet_fortigate.log" and event.category == "authentication" and event.action == "login" and event.outcome == "success" and source.user.roles == "Administrator" and source.user.name is not null and source.ip is not null diff --git a/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml b/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml index d5d10c26a..29732c5ee 100644 --- a/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml +++ b/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ type = "esql" query = ''' FROM logs-fortinet_fortigate.* metadata _id, _version, _index -| WHERE event.dataset == "fortinet_fortigate.log" and +| WHERE data_stream.dataset == "fortinet_fortigate.log" and event.category == "authentication" and event.action == "login" and event.outcome == "success" and (fortinet.firewall.method == "sso" or fortinet.firewall.ui like "sso*") and diff --git a/rules/network/initial_access_newly_observed_fortigate_admin_logon.toml b/rules/network/initial_access_newly_observed_fortigate_admin_logon.toml index abd746f9f..e1de0f81c 100644 --- a/rules/network/initial_access_newly_observed_fortigate_admin_logon.toml +++ b/rules/network/initial_access_newly_observed_fortigate_admin_logon.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/29" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ type = "esql" query = ''' FROM logs-fortinet_fortigate.*, filebeat-* metadata _id -| WHERE event.dataset == "fortinet_fortigate.log" and +| WHERE data_stream.dataset == "fortinet_fortigate.log" and event.category == "authentication" and event.action == "login" and event.outcome == "success" and source.user.roles == "Administrator" and source.user.name is not null | stats Esql.logon_count = count(*), diff --git a/rules/network/initial_access_react_server_rce_network_alerts.toml b/rules/network/initial_access_react_server_rce_network_alerts.toml index c319a5afc..75327dad3 100644 --- a/rules/network/initial_access_react_server_rce_network_alerts.toml +++ b/rules/network/initial_access_react_server_rce_network_alerts.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/10" integration = ["panw", "cisco_ftd", "fortinet_fortigate", "suricata"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -73,10 +73,10 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset:"cisco_ftd.log" and message:"SERVER-WEBAPP React Server Components remote code execution attempt") or -(event.dataset:"fortinet_fortigate.log" and message:"applications3: React.Server.Components.react-flight.Remote.Code.Execution") or -(event.dataset:"panw.panos" and event.action:"exploit_detected" and event.original :*React*Server*) or -(event.dataset:("suricata_corelight" or "suricata.eve") and rule.name:*CVE-2025-55182*) +(data_stream.dataset:"cisco_ftd.log" and message:"SERVER-WEBAPP React Server Components remote code execution attempt") or +(data_stream.dataset:"fortinet_fortigate.log" and message:"applications3: React.Server.Components.react-flight.Remote.Code.Execution") or +(data_stream.dataset:"panw.panos" and event.action:"exploit_detected" and event.original :*React*Server*) or +(data_stream.dataset:("suricata_corelight" or "suricata.eve") and rule.name:*CVE-2025-55182*) ''' diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 1ee0865b2..d2d20b900 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -26,8 +26,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and - network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and +(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and + network.transport:tcp and (destination.port:135 or data_stream.dataset:zeek.dce_rpc) and not (event.type: denied or event.action: flow_dropped or event.outcome: failure) and not source.ip:( 10.0.0.0/8 or diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 41a7b2452..a1e90e348 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -26,8 +26,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and - network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and +(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and + network.transport:tcp and (destination.port:135 or data_stream.dataset:zeek.dce_rpc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index c82adad47..585afd172 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/04/01" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -26,8 +26,8 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and - network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and +(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and + network.transport:tcp and (destination.port:(139 or 445) or data_stream.dataset:zeek.smb) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 9a2017960..6e96e6e27 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/11" integration = ["network_traffic"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: network_traffic.http OR (event.category: network_traffic AND network.protocol: http)) AND +(data_stream.dataset: network_traffic.http OR (event.category: network_traffic AND network.protocol: http)) AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT _exists_:http.request.headers.authorization ''' diff --git a/rules/network/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml index 495662975..e6218fd2d 100644 --- a/rules/network/lateral_movement_dns_server_overflow.toml +++ b/rules/network/lateral_movement_dns_server_overflow.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["network_traffic"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -73,8 +73,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and - (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000 +(data_stream.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and + (data_stream.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000 ''' diff --git a/rules/network/persistence_fortigate_admin_creation_unusual_source.toml b/rules/network/persistence_fortigate_admin_creation_unusual_source.toml index bf11e09db..64cede40f 100644 --- a/rules/network/persistence_fortigate_admin_creation_unusual_source.toml +++ b/rules/network/persistence_fortigate_admin_creation_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "fortinet_fortigate.log" and +data_stream.dataset: "fortinet_fortigate.log" and event.code: "0100044547" and fortinet.firewall.cfgpath: "system.admin" and fortinet.firewall.action: "Add" and diff --git a/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml b/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml index 35bc46d96..7e3be29b4 100644 --- a/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml +++ b/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -68,10 +68,10 @@ type = "eql" query = ''' sequence by observer.name with maxspan=15m - [authentication where event.dataset == "fortinet_fortigate.log" and + [authentication where data_stream.dataset == "fortinet_fortigate.log" and event.action == "login" and event.outcome == "success" and (fortinet.firewall.method == "sso" or fortinet.firewall.ui like~ "sso*")] - [any where event.dataset == "fortinet_fortigate.log" and + [any where data_stream.dataset == "fortinet_fortigate.log" and event.code == "0100044547" and fortinet.firewall.cfgpath == "system.admin" and fortinet.firewall.action == "Add"] diff --git a/rules/network/persistence_fortigate_super_admin_account_creation.toml b/rules/network/persistence_fortigate_super_admin_account_creation.toml index 95436b332..54e18c3c3 100644 --- a/rules/network/persistence_fortigate_super_admin_account_creation.toml +++ b/rules/network/persistence_fortigate_super_admin_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "fortinet_fortigate.log" and +any where data_stream.dataset == "fortinet_fortigate.log" and event.code == "0100044547" and fortinet.firewall.cfgpath == "system.admin" and fortinet.firewall.action == "Add" and diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index e7ad0618a..ef45907cc 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -99,7 +99,7 @@ process where host.os.type == "windows" and event.type == "start" and not ( ?user.id == "S-1-5-18" and /* Don't apply the user.id exclusion to Sysmon for compatibility */ - not event.dataset : ("windows.sysmon_operational", "windows.sysmon") + not data_stream.dataset : ("windows.sysmon_operational", "windows.sysmon") ) and /* Exclude System Integrity Processes for Sysmon */ not ?winlog.event_data.IntegrityLevel == "System" diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index dc5054e53..0e199a089 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/17" integration = ["windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [transform] [[transform.osquery]] @@ -128,7 +128,7 @@ query = ''' sequence by process.entity_id with maxspan=1m [process where host.os.type == "windows" and event.category == "process" and process.name : "rundll32.exe"] - [process where host.os.type == "windows" and event.category == "process" and event.dataset : "windows.sysmon_operational" and event.code == "7" and + [process where host.os.type == "windows" and event.category == "process" and data_stream.dataset : "windows.sysmon_operational" and event.code == "7" and (file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and /* renamed COMSVCS */ not file.name : "COMSVCS.DLL"] diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index 0f592120d..db76f5efd 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/12" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/04/10" min_stack_version = "9.1.0" min_stack_comments = "The esql match operator was introduced in version 9.1.0" @@ -75,7 +75,7 @@ FROM logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys not to_lower(process.executable) in ("c:\\windows\\syswow64\\svchost.exe", "c:\\windows\\system32\\svchost.exe") and not to_lower(process.executable) like """\\device\\harddiskvolume*\\windows\\system32\\svchost.exe""" and not to_lower(process.executable) like """\\device\\harddiskvolume*\\windows\\syswow64\\svchost.exe""" -| keep event.dataset, host.name, host.id, user.id, user.name, process.executable, process.parent.executable, process.command_line, _id, _version, _index +| keep data_stream.dataset, host.name, host.id, user.id, user.name, process.executable, process.parent.executable, process.command_line, _id, _version, _index ''' diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index 96f71cd4e..0cf2a79e5 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -96,7 +96,7 @@ process where host.os.type == "windows" and event.type : "start" and process.com ) and not ( /* Crowdstrike specific exclusion as it uses NT Object paths */ - (event.dataset == "crowdstrike.fdr" or event.action == "ProcessRollup2") and + (data_stream.dataset == "crowdstrike.fdr" or event.action == "ProcessRollup2") and process.executable : ( "\\Device\\HarddiskVolume*\\Program Files (x86)\\*", "\\Device\\HarddiskVolume*\\Program Files\\*", diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index aaea4bfe4..967492d0e 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -96,7 +96,7 @@ not process.parent.name : "PDQInventoryScanner.exe" and not ( user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and /* Don't apply the user.id exclusion to Sysmon for compatibility */ - not event.dataset : ("windows.sysmon_operational", "windows.sysmon") + not data_stream.dataset : ("windows.sysmon_operational", "windows.sysmon") ) ''' diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 80a9d2adb..7cbfd8936 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -91,7 +91,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na not ?winlog.event_data.SubjectUserName : "*$" and /* Sysmon will always populate user.id as S-1-5-18, leading to FPs */ - not event.dataset : ("windows.sysmon_operational", "windows.sysmon") + not data_stream.dataset : ("windows.sysmon_operational", "windows.sysmon") ) or (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") ) and diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index 25a637bbd..10032c680 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -98,7 +98,7 @@ process where host.os.type == "windows" and event.type == "start" and not ( ?user.id == "S-1-5-18" and /* Don't apply the user.id exclusion to Sysmon for compatibility */ - not event.dataset : ("windows.sysmon_operational", "windows.sysmon") + not data_stream.dataset : ("windows.sysmon_operational", "windows.sysmon") ) ''' diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index 7e8578f6b..7c07363db 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -137,7 +137,7 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and not ( /* Crowdstrike doesn't populate process.parent.executable */ - event.dataset == "crowdstrike.fdr" and + data_stream.dataset == "crowdstrike.fdr" and process.parent.name : ( "perl.exe", "node.exe", "pg_dumpall.exe", "PRTG Server.exe", "spiceworks-finder.exe", "leds.exe", "twexec.exe", "SonarScanner.MSBuild.exe", "Code.exe", "netbeans64.exe", "javaw.exe", "Bot Framework Composer.exe", "SessionMgr.exe", diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index 12f07fbe1..5e01365b3 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -87,7 +87,7 @@ process where host.os.type == "windows" and event.type == "start" and not ( ?user.id == "S-1-5-18" and /* Don't apply the user.id exclusion to Sysmon for compatibility */ - not event.dataset : ("windows.sysmon_operational", "windows.sysmon") + not data_stream.dataset : ("windows.sysmon_operational", "windows.sysmon") ) and not process.parent.executable : ( diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index a2831b848..4dec3b71b 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ sequence by host.id with maxspan = 20s not ( user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and /* Don't apply the user.id exclusion to Sysmon for compatibility */ - not event.dataset : ("windows.sysmon_operational", "windows.sysmon") + not data_stream.dataset : ("windows.sysmon_operational", "windows.sysmon") ) and not process.executable : ("?:\\Program Files\\HPWBEM\\Tools\\hpsum_swdiscovery.exe", diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index 53d948bc8..bb641db4d 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/02" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/04/10" [rule] author = ["Elastic"] @@ -71,10 +71,10 @@ type = "eql" query = ''' any where host.os.type == "windows" and ( - (event.dataset == "windows.sysmon_operational" and event.code == "21" and + (data_stream.dataset == "windows.sysmon_operational" and event.code == "21" and ?winlog.event_data.Operation : "Created" and ?winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or - (event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and ?process.Ext.api.name == "IWbemServices::PutInstance" and + (data_stream.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and ?process.Ext.api.name == "IWbemServices::PutInstance" and ?process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer")) ) '''