security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

222 Commits

Author SHA1 Message Date
shashank-elastic 1ce072a4e5 Prep for Release 9.3 (#5548) 2026-01-12 21:07:07 +05:30
Samirbous 7c36743ce6 [New] Multiple Alerts in Same ATT&CK Tactic by Host (#5550) 
* [New] Multiple Alerts in Same ATT&CK Tactic by Host

This rule uses alert data to determine when multiple alerts in the same phase of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

* Update multiple_alerts_same_tactic_by_host.toml

* Update rules/cross-platform/multiple_alerts_same_tactic_by_host.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update non-ecs-schema.json

* Update multiple_alerts_same_tactic_by_host.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2026-01-12 14:19:51 +00:00
Samirbous 8bc4829432 [Tuning] Multiple Cloud Secrets Accessed by Source Address (#5549) 
* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml
 2026-01-12 11:44:31 +00:00
Samirbous 2d5d826be7 [New] Multiple External EDR Alerts by Host (#5540) 
* [New] Multiple External EDR Alerts by Host

This rule uses alert data to determine when multiple external EDR alerts involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml
 2026-01-09 15:51:51 +00:00
Mika Ayenson, PhD f123ffa0f8 [Rule Tuning] GenAI DR Tuning (#5506) 2026-01-09 08:23:03 -06:00
Samirbous b39cfc34e6 [New] First Time Seen Elastic Defend Behavior Alert (#5528) 
* [New] First Time Seen Elastic Defend Behavior Alert

This rule detects Elastic Defend behavior alerts that are observed for the first time today when compared against
the previous 7 days of alert history. It highlights low-volume, newly observed alerts tied to a specific detection rule on a single agent, which may indicate early-stage malicious activity or initial execution of suspicious behavior :

* Update first_time_seen_elastic_defend_alert.toml

* ++

* Update first_time_seen_elastic_defend_alert.toml

* ++

* Update fist_time_seen_elastic_detection_rule.toml

* Update fist_time_seen_elastic_detection_rule.toml

* Update rules/cross-platform/first_time_seen_elastic_defend_alert.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/fist_time_seen_elastic_detection_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/fist_time_seen_elastic_detection_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update fist_time_seen_elastic_detection_rule.toml

* Update first_time_seen_elastic_defend_alert.toml

* Update rules/cross-platform/first_time_seen_elastic_defend_alert.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/first_time_seen_elastic_defend_alert.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/fist_time_seen_elastic_detection_rule.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update first_time_seen_elastic_defend_alert.toml

* Update and rename fist_time_seen_elastic_detection_rule.toml to newly_observed_elastic_detection_rule.toml

* Rename first_time_seen_elastic_defend_alert.toml to newly_observed_elastic_defend_alert.toml

* Update newly_observed_elastic_defend_alert.toml

* Update newly_observed_elastic_detection_rule.toml

* Update newly_observed_elastic_defend_alert.toml

* Update newly_observed_elastic_detection_rule.toml

* Update newly_observed_elastic_defend_alert.toml

* Update newly_observed_elastic_detection_rule.toml

* Update newly_observed_elastic_detection_rule.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-09 10:34:32 +00:00
Samirbous 0165b97d30 [New] Suspected Lateral Movement from Compromised Host (#5521) 
* [New] Suspected Lateral Movement from Compromised Host

Detects potential lateral movement or post-compromise activity by correlating alerts where the host.ip of one alert matches the source.ip of a subsequent alert. This behavior may indicate a compromised host being used to authenticate to another system or resource, including cloud services.

* Update multiple_alerts_by_host_ip_and_source_ip.toml

* Update multiple_alerts_by_host_ip_and_source_ip.toml

* Update multiple_alerts_by_host_ip_and_source_ip.toml

* Update multiple_alerts_by_host_ip_and_source_ip.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-01-07 16:23:16 +00:00
Ruben Groenewoud 38e2e4766f [Rule Tuning] Linux DR BBR Tuning (#5514) 
* [Rule Tuning] Linux DR BBR Tuning

* Update discovery_getconf_execution.toml

* Fix typo in process.args for dscl command

* Update persistence_web_server_sus_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-01-07 16:52:40 +01:00
Ruben Groenewoud ca0f32f28e [Rule Tuning] Linux DR CP Tuning (#5512) 
* [Rule Tuning] Linux DR CP Tuning

* Update date bump

* Fix privilege escalation rule for teleport executable

* ++

* Revert "++"

This reverts commit 386dc909b89dfcbe21628585489605fd0206e3c2.

* Update rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-01-07 16:40:37 +01:00
Samirbous 74d6fe95c9 [New] Multiple Elastic Defend Alerts from Single Process Tree (#5522) 
* [New] Multiple Elastic Defend Alerts from Single Process Tree

Detects multiple Elastic Defend EDR alerts originating from the same process tree, indicating coordinated malicious activity. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

* Update multiple_alerts_edr_elastic_same_process_tree.toml

* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update multiple_alerts_edr_elastic_same_process_tree.toml

* Update multiple_alerts_edr_elastic_same_process_tree.toml

* Update multiple_alerts_edr_elastic_same_process_tree.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-02 15:13:25 +00:00
Samirbous c7adfd8b6d [Tuning] Elastic Defend and Network Security Alerts Correlation (#5518) 
* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml
 2026-01-02 14:40:06 +00:00
Samirbous f337926c52 Update initial_access_execution_susp_react_serv_child.toml (#5503) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-01 15:27:33 -03:00
Jonhnathan b956a4350f [Rule Tuning] Multiple Alerts Involving a User (#5498) 
* [Rule Tuning] Multiple Alerts Involving a User

* Update multiple_alerts_involving_user.toml

* Update multiple_alerts_involving_user.toml

* Update non-ecs-schema.json

* ++

* Update multiple_alerts_involving_user.toml

* ++

* Update non-ecs-schema.json
 2025-12-19 12:57:25 -03:00
Samirbous 95cf506c9d [New] Suricata and Elastic Defend Network Correlation (#5443) 
* [New] Suricata and Elastic Defend - Command and Control Correlation

This detection correlates Suricata alerts and events with Elastic Defend network events to identify the source process
performing the network activity.

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

* Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* add suricata to schemas

* merge from main

* reset schemas

* Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-12-19 09:08:31 +00:00
Samirbous a1e40de4a5 [New] Alerts From Multiple Integrations by Entity (#5460) 
* [New] Alerts From Multiple Integrations by Entity IP

Higher-Order Rules that trigger on different integrations with different event.category (e.g. authentication with endpoint, email with network etc.) for the same entity (user, IP) in an interval of 4 hours. rule is set to run every 1h.

- Alerts From Multiple Integrations by Source Address
- Alerts From Multiple Integrations by Destination IP
- Alerts From Multiple Integrations by User Name

* ++

* ++

* ++

* ++

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update multiple_alerts_from_different_modules_by_dstip.toml

* Update multiple_alerts_from_different_modules_by_dstip.toml

* Update multiple_alerts_from_different_modules_by_srcip.toml

* Update multiple_alerts_from_different_modules_by_user.toml

* Update multiple_alerts_from_different_modules_by_dstip.toml

* Update multiple_alerts_from_different_modules_by_srcip.toml

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update multiple_alerts_from_different_modules_by_dstip.toml

* Update multiple_alerts_from_different_modules_by_srcip.toml

* Update multiple_alerts_from_different_modules_by_user.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-18 18:04:58 +00:00
Samirbous b996a29451 [Tuning] Diverse Rules Tuning (#5482) 
* [Tuning] Diverse Rules Tuning

* Update persistence_shell_profile_modification.toml

* Update defense_evasion_ml_suspicious_windows_event_low_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* ++

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Update persistence_shell_profile_modification.toml

* Revert "Update credential_access_potential_linux_ssh_bruteforce_internal.toml"

This reverts commit bad889a30d3f4a028de2b6624307f75b279a205b.

* Update persistence_web_server_sus_destination_port.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_low_probability.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-18 15:30:12 +00:00
Samirbous 6ac69db7ba [Tuning] Elastic Defend and Email Alerts Correlation (#5459) 
* [Tuning] Elastic Defend and Email Alerts Correlation

this rule uses the logs-* generic index, which causes failures on clusters without an email related integration with `destination.user.name` populated.  for now limiting the rule to checkpoint email security and we can add more or users can customize it by adding more indexes.

* add checkpoint_email manifest and schema

* Update pyproject.toml

* Update multiple_alerts_email_elastic_defend_correlation.toml
 2025-12-15 15:33:10 +00:00
Samirbous a6548d9773 Update defense_evasion_agent_spoofing_multiple_hosts.toml (#5446) 2025-12-12 17:47:11 +00:00
Samirbous 3726611b93 [Tuning] Top Noisy Rules (#5449) 
* [Tuning] Windows BruteForce Rules Tuning

#1 Multiple Logon Failure from the same Source Address: converted to ES|QL and raised the threshold to 100 failed auths, alert quality should be better since it aggregates all failed auths info into one alert vs multiple EQL matches. (expected reduction more than 50%)

#2 Privileged Account Brute Force - coverted to ESQL and set the threshold to 50 in a minute. this should drop noise volume by more than 50%.

* ++

* Update execution_shell_evasion_linux_binary.toml

* Update execution_shell_evasion_linux_binary.toml

* Update defense_evasion_indirect_exec_forfiles.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update persistence_service_windows_service_winlog.toml

* Update credential_access_lsass_openprocess_api.toml

* Update persistence_suspicious_scheduled_task_runtime.toml

* Update impact_hosts_file_modified.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

* Update rules/windows/credential_access_lsass_openprocess_api.toml

* Update rules/windows/credential_access_bruteforce_admin_account.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update credential_access_lsass_openprocess_api.toml

* Update impact_hosts_file_modified.toml

* Update credential_access_dollar_account_relay.toml

* Update credential_access_new_terms_secretsmanager_getsecretvalue.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-12 14:28:12 +00:00
Samirbous fcb6c3c433 [Tuning] Suspicious React Server Child Process (#5447) 
* Update initial_access_execution_susp_react_serv_child.toml

* Update initial_access_execution_susp_react_serv_child.toml
 2025-12-12 10:40:23 +00:00
Terrance DeJesus cabf1c2a02 [Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172) 
* Tuning azure and m365 rule names and file paths

* addressing unit test failures

* addressing unit test failures

* Changed Frontdoor to Front Door

* removed extra space in name

* adjusted Microsoft 365 to M365 in rule name

* Update rules/integrations/azure/credential_access_storage_account_key_regenerated.toml

* Update rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml

* Update rules/integrations/azure/execution_automation_runbook_created_or_modified.toml

* Update rules/integrations/azure/persistence_automation_account_created.toml

* Update rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml

* Update rules/integrations/azure/persistence_automation_webhook_created.toml

* Update rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml

* Update rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml

* Update rules/integrations/azure/persistence_event_hub_created_or_updated.toml

* Update rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml

* Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* fixed additional rule names

* Update rule dates and investigation guide headers

- Set updated_date to 2025/12/10 for all modified rules
- Fix investigation guide headers to match actual rule names
- Ensures compliance with test_rule_change_has_updated_date
- Ensures compliance with test_investigation_guide_uses_rule_name

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* changed kibana alert rule name to rule ID

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
 2025-12-10 12:59:50 -05:00
Jonhnathan 7a54ae33a5 [Rule Tuning] Add Missing Metadata to KEEP conditions (#5442) 
* [Rule Tuning] Add Missing Metadata to KEEP conditions

* Add them all

* ++

* date bump

* Update rules_building_block/discovery_ec2_multi_region_describe_instances.toml
 2025-12-09 17:05:20 -08:00
shashank-elastic 58a514340b December Schema Refresh (#5420) 2025-12-08 22:07:46 +05:30
Ruben Groenewoud 7aacebba02 [Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration (#5421) 2025-12-08 18:54:23 +05:30
Ruben Groenewoud bd9b1f222d [Rule Tuning] Suspicious React Server Child Process (#5419) 2025-12-08 12:50:41 +01:00
Terrance DeJesus cea2f43732 [New Rule] AWS EC2 LOLBin Execution via SSM (#5354) 
* [New Rule] AWS EC2 LOLBin Execution via SSM
Fixes #5353

* updated from command

* removed high order tag

* adjusted query logic

* updated reference

* add ESQL_priv. to keep

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

* cleaned up comments

* updating query logic to use coalesce

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* added SSM tag

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-12-05 16:14:33 -05:00
Mika Ayenson, PhD f40a383b7e [New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 12:26:56 -06:00
Ruben Groenewoud 72a2b44db1 [Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413) 
* [Rule Tuning] Interval fix + Datastream values to ESQL Rules

* Update persistence_web_server_potential_command_injection.toml
 2025-12-05 16:42:52 +01:00
Samirbous f427735610 [Tuning] Suspicious React Child Process (#5414) 
* Update initial_access_execution_susp_react_serv_child.toml

* Update initial_access_execution_susp_react_serv_child.toml

* Enhance EQL query for process execution detection

* Update initial_access_execution_susp_react_serv_child.toml

* Update initial_access_execution_susp_react_serv_child.toml

* Update rules/cross-platform/initial_access_execution_susp_react_serv_child.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 11:26:48 +00:00
Ruben Groenewoud e1166652c4 [New Rule] Web Server Potential Remote File Inclusion Activity (#5394) 
* [New Rule] Web Server Potential Remote File Inclusion Activity

* Add min_stack_version and comments to TOML file

Added minimum stack version and comments for clarity.

* Update rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Add data_stream.namespace to event stats

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-12-05 09:57:56 +01:00
Ruben Groenewoud 4920e9a60f [New Rule] Web Server Local File Inclusion Activity (#5393) 
* [New Rule] Web Server Local File Inclusion Activity

* Update discovery_web_server_local_file_inclusion_activity.toml

* Update discovery_web_server_local_file_inclusion_activity.toml

* Update discovery_web_server_local_file_inclusion_activity.toml

* Update rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Add data_stream.namespace to event statistics

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-12-05 09:47:29 +01:00
Samirbous 36baf8c898 [New] Suspicious React Server Child Process (#5407) 
* [New] Suspicious React Server Child Process

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

* Update initial_access_execution_susp_react_serv_child.toml
 2025-12-04 21:32:20 +00:00
Samirbous 166da45561 [New] Multiple Cloud Secrets Accessed by Source Address (#5388) 
* [New] Multiple Cloud Secrets Accessed by Source Address

This rule detects authenticated sessions accessing secret stores across multiple cloud providers from the same source
address within a short period of time. Adversaries with access to compromised credentials or session tokens may attempt
to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault in rapid
succession to expand their access or exfiltrate sensitive information.

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-12-04 18:04:25 +00:00
Ruben Groenewoud efef99befd [New Rule] Potential HTTP Downgrade Attack (#5372) 
* [New Rule] Potential HTTP Downgrade Attack

* Update defense_evasion_potential_http_downgrade_attack.toml
 2025-12-04 16:23:38 +01:00
Ruben Groenewoud f42b5143a6 [New Rule] Initial Access via File Upload Followed by GET Request (#5371) 
* [New Rule] Initial Access via File Upload Followed by GET Request

* Slightly increase timespan

* ++

* Update rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-12-04 16:10:13 +01:00
Terrance DeJesus 7a884ebe2b [Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform (#5403) 
* [Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform
Fixes #5402

* removed rule from Linux directory

* adjusted mitre for unit tests

* Update rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* expanding to S1

* adding integration metadata

* Add 'start' action to Node.js install script detection

* Update rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-04 09:07:12 -05:00
Samirbous 02979fec68 [New/Tuning] NPM Shai-Hulud coverage (#5368) 
* [New/Tuning] NPM Shai-Hulud coverage

https://socket.dev/blog/shai-hulud-strikes-again-v2

* Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml

* Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml

* Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml

* Update credential_access_trufflehog_execution.toml

* Update credential_access_trufflehog_execution.toml

* Update credential_access_trufflehog_execution.toml

* Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/execution_register_github_actions_runner.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/execution_via_github_actions_runner.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Create initial_access_github_register_self_hosted_runner.toml

* Update initial_access_github_register_self_hosted_runner.toml

* Update initial_access_github_register_self_hosted_runner.toml

* Update initial_access_github_register_self_hosted_runner.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-02 10:57:12 +00:00
Ruben Groenewoud 046d52c902 [New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (#5370) 
* [New Rule] Execution via GitHub Runner with Audit Disabled via Environment Variables

* [New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners

* ++

* ++

* Update execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml

* Remove 'Use Case: Vulnerability' entry

Removed 'Use Case: Vulnerability' from the list.

* Add timestamp override to GitHub runner execution rules

* Update rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml

* Enhance guide for RUNNER_TRACKING_ID tampering

Added detailed investigation guide for tampering with RUNNER_TRACKING_ID in GitHub Actions runners, including triage steps, false positive analysis, and remediation actions.
 2025-12-02 10:22:24 +01:00
Ruben Groenewoud e8ecba7d00 [New Rule] Potential Secret Scanning via Gitleaks (#5377) 
* [New Rule] Potential Secret Scanning via Gitleaks

* Enhance investigation guide for Gitleaks credential access

Updated the note section with detailed investigation steps, false positive analysis, and response/remediation guidelines for Gitleaks usage.

* Update rules/cross-platform/credential_access_gitleaks_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-12-02 09:42:19 +01:00
Ruben Groenewoud 2abd3de795 [New Rule] Privileged Container Creation with Host Directory Mount (#5373) 
* [New Rule] Privileged Container Creation with Host Directory Mount

* ++

* ++

* Update execution_privileged_container_creation_with_host_reference.toml

* Update risk score and severity in TOML file

* Update execution_privileged_container_creation_with_host_reference.toml

* Update rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml

* Add reference link for container escape techniques
 2025-12-02 09:33:16 +01:00
Ruben Groenewoud e19ce18a40 [Rule Tunings] Misc. Web Server Rules (#5384) 2025-12-02 09:21:16 +01:00
Samirbous bcd1b5049a Update multiple_alerts_elastic_defend_netsecurity_by_host.toml (#5375) 2025-12-01 07:18:19 -08:00
Ruben Groenewoud d10dc0809f [Rule Tuning] Credential Access via TruffleHog Execution (#5362) 2025-11-25 12:18:42 +01:00
shashank-elastic 5386345ca7 Add Investigation Guides for Rules (#5357) 2025-11-25 01:08:15 +05:30
Eric Forte 13738b5d17 Tune rule indices (#5359) 2025-11-24 14:03:50 -05:00
Ruben Groenewoud 94ff4b0e3e [New Rule] Web Server Potential Command Injection Request (#5341) 
* [New Rule] Web Server Potential Command Injection Request

* Update variable names to use consistent casing

* Add 'Domain: Network' tag to command injection rule

* Update persistence_web_server_potential_command_injection.toml

* adding missing tags

* Update rules/cross-platform/persistence_web_server_potential_command_injection.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update rules/cross-platform/persistence_web_server_potential_command_injection.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-11-25 00:11:28 +05:30
Ruben Groenewoud b0cc0cbe13 [New Rule] Web Server Suspicious User Agent Request Spike (#5340) 
* [New Rule] Web Server Unusual User Agent Request

* [New Rule] Web Server Suspicious User Agent Request Spike

* Update reconnaissance_web_server_unusual_user_agents.toml

* Update reconnaissance_web_server_unusual_user_agents.toml

* ++

* ++

* Rename rule for suspicious user agent requests

* fixing from indices formatting

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-11-25 00:00:22 +05:30
Ruben Groenewoud 4f8c967185 [New Rule] Web Server Unusual Spike in Error Logs (#5339) 
* [New Rule] Web Server Unusual Spike in Error Logs

* Update reconnaissance_web_server_unusual_spike_in_error_logs.toml

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

* ++

* Remove event limit from error log rule

Removed limit on the number of events in the rule.

* Rename rule to 'Web Server Potential Spike in Error Logs'

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-11-24 13:18:23 -05:00
Ruben Groenewoud 296049e1ff [New Rule] Web Server Unusual Spike in Error Response Codes (#5338) 
* [New Rule] Web Server Unusual Spike in Error Response Codes

* Update reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

* Update tags in reconnaissance web server rule

* Add network domain tag and modify ESQL queries

* Remove url.path from error response rules

* ++

* Update reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

* Update reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

* fixing from indices formatting

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-11-24 13:08:25 -05:00
Ruben Groenewoud 167def0bc1 [New Rule] Web Server Discovery or Fuzzing Activity (#5337) 
* [New Rule] Web Server Discovery or Fuzzing Activity

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add case handling for URL normalization in rule

* Replace url.path with Esql_url_lower in TOML file

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* ++

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add manifest and schema updates

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* ++

* Update fortigate schemas

* Revert "Update fortigate schemas"

This reverts commit b7c87b0ff50c6d36ba7e6c223de2813d7edceb03.

* Revert "++"

This reverts commit 7f5d860da6012218c586f90e98cb5eb0c9c0ede5.

* [New Rule] Web Server Discovery or Fuzzing Activity

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add case handling for URL normalization in rule

* Replace url.path with Esql_url_lower in TOML file

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* ++

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add manifest and schema updates

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Added schema/manifest updates

* ++

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* revert manifests / schemas to main

* adds nginx, iis, apache_tomcat, apache to integration manifests and schemas

* bumping patch version

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-11-24 12:40:12 -05:00