security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)

Browse Source 
* [Rule Tuning] Change event.dataset to data_stream.dataset

* updating ESQL field names
This commit is contained in:
Terrance DeJesus
2026-04-10 12:27:52 -04:00
committed by GitHub
parent 9736407ef3
commit deab1c0161
472 changed files with 1022 additions and 1022 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -65,7 +65,7 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit"
configuration where data_stream.dataset == "github.audit"
and github.category == "protected_branch" and event.type == "change"
'''
rules/integrations/github/defense_evasion_secret_scanning_disabled.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2026/02/04"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -65,7 +65,7 @@ tags = [
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit" and event.type == "change" and event.action == "repository_secret_scanning.disable"
configuration where data_stream.dataset == "github.audit" and event.type == "change" and event.action == "repository_secret_scanning.disable"
'''
[[rule.threat]]
rules/integrations/github/execution_github_app_deleted.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -61,7 +61,7 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion"
configuration where data_stream.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion"
'''
rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -64,7 +64,7 @@ timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and
data_stream.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and
github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and
github.repository_public:false
'''
rules/integrations/github/execution_new_github_app_installed.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -66,7 +66,7 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit" and event.action == "integration_installation.create"
configuration where data_stream.dataset == "github.audit" and event.action == "integration_installation.create"
'''
rules/integrations/github/exfiltration_github_private_repository_turned_public.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2026/02/04"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -61,7 +61,7 @@ tags = [
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit" and github.operation_type == "modify" and github.category == "repo" and
configuration where data_stream.dataset == "github.audit" and github.operation_type == "modify" and github.category == "repo" and
event.action == "repo.access" and github.previous_visibility == "private" and github.visibility == "public"
'''
rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -76,7 +76,7 @@ from logs-github.audit-* metadata _id, _index, _version
Esql.github_user_agent_values = values(github.user_agent),
Esql.user_name_values = values(user.name),
Esql.agent_id_values = values(agent.id),
Esql.event_dataset_values = values(event.dataset),
Esql.data_stream_dataset_values = values(data_stream.dataset),
Esql.data_stream_namespace_values = values(data_stream.namespace)
by user.name
rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -36,7 +36,7 @@ tags = [
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.dataset:"github.audit" and event.action:("git.push" or "git.clone") and github.repository_public:false
data_stream.dataset:"github.audit" and event.action:("git.push" or "git.clone") and github.repository_public:false
'''
[[rule.threat]]
rules/integrations/github/impact_github_repository_deleted.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -65,7 +65,7 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.module == "github" and event.dataset == "github.audit" and event.action == "repo.destroy"
configuration where event.module == "github" and data_stream.dataset == "github.audit" and event.action == "repo.destroy"
'''
rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -79,7 +79,7 @@ from logs-github.audit-* metadata _id, _index, _version
Esql.github_pull_request_url_values = values(github.pull_request_url),
Esql.user_name_values = values(user.name),
Esql.agent_id_values = values(agent.id),
Esql.event_dataset_values = values(event.dataset),
Esql.data_stream_dataset_values = values(data_stream.dataset),
Esql.data_stream_namespace_values = values(data_stream.namespace)
by user.name
rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -80,7 +80,7 @@ from logs-github.audit-* metadata _id, _index, _version
Esql.github_reasons_message_value = values(github.reasons.message),
Esql.user_name_values = values(user.name),
Esql.agent_id_values = values(agent.id),
Esql.event_dataset_values = values(event.dataset),
Esql.data_stream_dataset_values = values(data_stream.dataset),
Esql.data_stream_namespace_values = values(data_stream.namespace)
by user.name
rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["github"]
maturity = "production"
min_stack_comments = "mv_contains ES|QL function only available post 9.2 in tech preview"
min_stack_version = "9.2.0"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -84,7 +84,7 @@ from logs-github.audit-* metadata _id, _index, _version
Esql.github_reasons_message_values = values(github.reasons.message),
Esql.user_name_values = values(user.name),
Esql.agent_id_values = values(agent.id),
Esql.event_dataset_values = values(event.dataset),
Esql.data_stream_dataset_values = values(data_stream.dataset),
Esql.data_stream_namespace_values = values(data_stream.namespace)
by user.name
rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/09"
integration = ["github"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -77,7 +77,7 @@ timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.dataset: "github.audit" and
data_stream.dataset: "github.audit" and
event.action: "git.push" and
user.name: "github-actions[bot]"
'''
rules/integrations/github/initial_access_github_register_self_hosted_runner.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/11/28"
integration = ["github"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -62,7 +62,7 @@ timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.dataset:"github.audit" and
data_stream.dataset:"github.audit" and
event.category:"configuration" and
event.action: (
"repo.register_self_hosted_runner" or
rules/integrations/github/persistence_github_org_owner_added.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/09/11"
integration = ["github"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -66,7 +66,7 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin"
iam where data_stream.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin"
'''
rules/integrations/github/persistence_new_pat_created.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -65,7 +65,7 @@ tags = [
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit" and github.operation_type == "create" and
configuration where data_stream.dataset == "github.audit" and github.operation_type == "create" and
github.category == "personal_access_token" and event.action == "personal_access_token.access_granted"
'''
rules/integrations/github/persistence_organization_owner_role_granted.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/09/11"
integration = ["github"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
@@ -64,7 +64,7 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin"
iam where data_stream.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin"
'''