0b15511ef5
Lock versions for releases: 8.19,9.2,9.3,9.4 ( #6044 )
2026-05-04 21:29:14 +05:30
a6fba3c728
Monthly Manifest and Schema Updation ( #6036 )
2026-05-04 18:01:56 +05:30
aad0e4ed11
Fix percentages ( #6002 )
2026-05-01 19:13:53 -04:00
cc66323d1d
[Bug] Omit ES|QL engine columns from required_fields ( #6027 )
...
* Omit Esql.* columns from ES|QL rule required_fields
Kibana treats required_fields as index mappings. ES|QL stats and
similar commands expose Esql.* and Esql_priv.* result columns that
are not mapped on source indices, which produced noisy validation
warnings for shipped rules.
Filter those names when building required_fields. Add a check in
test_esql_endpoint_alerts_index when remote ES|QL validation runs.
Fixes #6026 .
* Move required_fields check to its own remote test
* Iterate production rules in required_fields test
* Use direct get_required_fields call in remote test
Skip to_api_format() and call data.get_required_fields(index) directly,
gated on ESQLRuleData. Mirrors the ESQLValidator scope of the fix and
avoids the unrelated packaging steps that to_api_format runs per rule.
* Bump version to 1.6.30
* Centralize ES|QL dynamic field prefix tuple
Define ESQL_DYNAMIC_FIELD_PREFIXES = ("Esql.", "Esql_priv.") in
schemas/definitions.py and reuse it in QueryValidator.get_required_fields,
ESQLValidator.validate_columns_index_mapping, and the remote test.
Single source of truth and consistent ordering across the codebase.
2026-05-01 17:37:31 -05:00
f7387bb10d
[FR] [DAC] Add Exception Duplication Checking ( #5689 )
...
* Add Exception Duplication Checking
2026-04-29 08:57:07 -04:00
cb3c342b31
Lock versions for releases: 8.19,9.2,9.3,9.4 ( #5998 )
2026-04-29 00:52:04 +05:30
0f521a0848
Fix value lists within exception lists ( #5963 )
...
* Fix value lists within exception lists
2026-04-24 12:23:06 -04:00
b6886f310c
[FR] Add enforcement for deprecated_reason ( #5953 )
2026-04-23 17:15:47 +05:30
2dac152094
Lock versions for releases: 8.19,9.2,9.3,9.4 ( #5972 )
...
* Locked versions for releases: 8.19,9.2,9.3,9.4
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
2026-04-22 20:15:10 -04:00
2029654e79
ESQL validation support fix ( #5970 )
2026-04-22 16:52:37 -04:00
7a54f8be99
Prep for Release 9.4 ( #5965 )
2026-04-23 00:13:05 +05:30
876e4ed535
[Bug ]Fix Kibana version parsing for package version ( #5962 )
...
* [Bug ]Fix kibana version parsing for package version
---------
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2026-04-22 11:25:06 -04:00
d8a39869c5
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 ( #5909 )
...
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2026-04-22 17:36:35 +05:30
9736407ef3
[FR] [DAC] Initial Yaml Support ( #5821 )
...
* Initial Yaml Support
2026-04-10 11:29:15 -04:00
984be4a1ac
[Bug] Small bugfix to address update navigator edge case ( #5942 )
...
* [Bug] Small bugfix to address update navigator edge case
2026-04-10 08:53:56 -04:00
1503976d10
[FR] Load ECS mapping based on supplied stack version ( #5925 )
...
* Load ECS mapping based on supplied stack version
2026-04-09 12:40:10 -04:00
c601edfbb3
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5930 )
2026-04-08 19:44:16 +05:30
88bc42265f
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5926 )
2026-04-07 17:45:00 +05:30
48128c1c66
[Rule Tuning] Entra ID Illicit Consent Grant via Registered Application - Fix New Terms Field ( #5894 )
...
* [Rule Tuning] Entra ID Illicit Consent Grant via Registered Application - Fix New Terms Field
Fixes #5893
* adding non-admin consented filter
* converting to ESQL
* additional query adjustments
* adjusted query KEEP
* updating non-ecs
* Apply suggestion from @terrancedejesus
2026-04-06 09:40:21 -04:00
199a4d6160
Monthly Manifest and Schema Updation ( #5920 )
2026-04-06 17:35:33 +05:30
d9890db6ff
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5888 )
...
* Locked versions for releases: 8.19,9.1,9.2,9.3
* Update pyproject.toml
---------
Co-authored-by: Mikaayenson <Mikaayenson@users.noreply.github.com >
2026-03-26 12:31:50 -05:00
cd19b25485
[New Rule] M365 Azure Monitor Alert Email with Financial or Billing Theme ( #5878 )
...
* [New Rule] M365 Azure Monitor Alert Email with Financial or Billing Theme
Fixes #5877
* adding microsoft_exchange_online_message_trace to manifests/schemas; bumping patch
* updated mitre
* Update rules/integrations/microsoft_exchange_online_message_trace/initial_access_azure_monitor_callback_phishing_email.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* bumping patch
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2026-03-26 10:50:15 -05:00
75ffa5ec4e
[FR] [DaC] Add fine-grained bypass env var for ES|QL keep and metadata validation ( #5869 )
...
* Add fine grain 'keep' req bypass
* Add metadata bypass
2026-03-24 14:36:45 -04:00
b14dec9efa
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5875 )
2026-03-23 23:45:25 +05:30
ade7de7be4
[New Rules] External Promotion Alert for IBM QRadar ( #5843 )
2026-03-20 14:42:43 -05:00
cb5b89f83e
[FR] Includes deprecated rule stubs to the package for upstream testing ( #5813 )
...
* adds scripting to include deprecated rule stubs in package
* remove deprecated manifest from package
* adds 9.4 gate
* bump version
* fix merge conflict
* test
* revert commit hash
* adds deprecated_reason logic from comment
* fix lint error
* fix lint error
* fix formatting
* test
* revert commit hash
* Update detection_rules/packaging.py
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-03-18 14:34:25 -05:00
8b140d5811
[Rule Tuning] Added Traefik Compatibility to Web Server Access Rules ( #5837 )
...
* [Rule Tuning] Added Traefik Compatibility to Web Server Access Rules
* ++
* Bump pyproject.toml
* Bump pyproject.toml
2026-03-17 17:28:47 +01:00
937a7a35e6
[New Rule] Azure Arc Kubernetes Cluster Connect Abuse ( #5824 )
...
* [New Rule] Azure Arc Kubernetes Cluster Connect Abuse
Fixes #5823
* rename, adjusted query
* adding KEEP *
* adjusting maturity
* added to non-ecs schema
* updating rule
* addressing unit test failures
* adjustments to logic, mitre mappings, unit test failures, etc.
* Update rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-03-17 11:06:47 -04:00
49c9c283e6
[FR] Reset deprecated lock to the latest state during lock ( #5827 )
2026-03-16 17:04:56 -05:00
57bf1546dd
[Bug] [DAC] Add filtering to export-rules-from-repo ( #5769 )
...
* Add filtering to export-rules-from-repo
2026-03-10 13:03:52 -04:00
61211a2670
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5820 )
2026-03-10 18:49:55 +05:30
87badac5a0
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5818 )
2026-03-10 15:33:16 +05:30
26d37dd62e
[Bug] Ignore Other Keep Wildcards ( #5792 )
...
* Ignore other Keep Wildcards
* Added a unit test for multiple keeps
* Add keep star unit tests
2026-03-09 19:33:27 -04:00
e08f234b1c
Monthly Manifest and Schema Updation ( #5816 )
...
* Monthly Manifest and Schema Updation
* Update Patch Version
2026-03-09 08:15:06 -05:00
5ecbc0f0b9
[New Rule] Microsoft 365 SharePoint/OneDrive Sensitive Search and File Access ( #5777 )
...
* [New Rule] Microsoft 365 SharePoint/OneDrive Sensitive Search and File Access
Fixes #5776
* adjusting UUIDs
* added additional strings
* adjusted investigation guide
* fixed mitre mappings
* fixed mitre mappings
* Apply suggestion from @terrancedejesus
2026-02-26 14:29:14 -05:00
71c461d867
[New Rule] M365 MFA Notification Email Deleted or Moved ( #5779 )
...
* [New Rule] M365 MFA Notification Email Deleted or Moved
Fixes #5778
* updated non-ecs
* adjusted rule name
* Apply suggestion from @terrancedejesus
2026-02-26 13:21:08 -05:00
8593116f58
[New Rule] Okta User Authentication via Proxy Followed by Security Alert ( #5752 )
...
* [New Rule] Okta User Authentication via Proxy Followed by Security Alert
Fixes #5751
* adjusted to EQL
* fixed syntax
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* removed defense evasion; adjusted maxspan to 30m
* removed Okta tag
* adding Okta back as integration tag
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2026-02-26 11:32:25 -05:00
04ad018f27
[Rule Tuning] M365 OneDrive/SharePoint Excessive File Downloads ( #5767 )
...
* [Rule Tuning] M365 OneDrive/SharePoint Excessive File Downloads
Fixes #5766
* updated non-ecs
* fixing keep command
2026-02-26 10:38:59 -05:00
201660af36
[Bug] Adding Deprecated Rules to Rules Package Breaks Current Package Build ( #5773 )
...
* applying patch fix for historical rules and deprecated JSON object
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2026-02-24 13:54:46 -05:00
92a379e034
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5765 )
2026-02-24 18:49:27 +05:30
5adc118f92
[Bug] ES|QL Validation Add Reverse Lookup Check Against Kibana Value ( #5747 )
...
* Add reverse lookup check against Kibana value
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-02-20 15:29:51 -05:00
a1c3267529
[FR] Add deprecated file to release for upstream testing ( #5749 )
2026-02-20 14:16:27 -06:00
f773103519
[Rule Tuning] Entra ID Federated Identity Credential Persistence Detection ( #5702 )
...
* [Rule Tuning] Entra ID Federated Identity Credential Persistence Detection
Fixes #5701
* updated mitre mapping ID
* adjusted mitre mappings; non-ecs schema file
* fixed trailing comma in non-ecs; adjusted file name
* adjusted file name; fixed non-ecs schema for upstream ESQL validation
* Apply suggestion from @terrancedejesus
* Apply suggestion from @terrancedejesus
* changed lookback to 9 minutes; adjusted keep values
* added setup; added tag
2026-02-19 15:58:12 -05:00
63f76cf004
[Rule Tuning] Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client ( #5681 )
...
* [Rule Tuning] Transform Dormant SharePoint Rule to Detect OAuth Phishing
Fixes #5680
* adjusted query format for unit test; added additional domain tag for storage
* Apply suggestion from @terrancedejesus
* Fix formatting in non-ecs-schema.json
* adjusted description
* re-order mappings
2026-02-19 10:09:15 -05:00
62cc9f105d
[Rule Tuning] Okta User Assigned Administrator Role ( #5671 )
...
Fixes #5670
2026-02-12 09:33:25 -05:00
f306404fe5
[Bug] CLI adds frequency field to system actions (.cases), causing import failure ( #5690 )
...
* No frequency field to cases
2026-02-11 15:18:20 -05:00
f74c04d11a
[Bug] ESQL validation keep Clause Reported Missing Metadata Fields ( #5717 )
...
* Update Keep Field to Handle Comments
* Update for handling inline comments
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2026-02-11 15:02:23 -05:00
df9c27d82e
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5708 )
2026-02-10 11:14:23 +05:30
70d7f2b6b1
Monthly Manifest and Schema Updation ( #5697 )
2026-02-10 09:17:04 +05:30
64a08cd6af
[New Rules] Misc. K8s RBAC Abuse Rules ( #5673 )
...
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [New Rules] Misc. K8s RBAC Abuse Rules
* --
* Update non-ecs-schema
* Update to make unit tests happy
* Mitre mapping updates
* Fix query logic for service account role bindings
* Fix formatting in persistence_service_account_bound_to_clusterrole rule
2026-02-05 17:42:03 +01:00
github-actions[bot]