* Omit Esql.* columns from ES|QL rule required_fields
Kibana treats required_fields as index mappings. ES|QL stats and
similar commands expose Esql.* and Esql_priv.* result columns that
are not mapped on source indices, which produced noisy validation
warnings for shipped rules.
Filter those names when building required_fields. Add a check in
test_esql_endpoint_alerts_index when remote ES|QL validation runs.
Fixes#6026.
* Move required_fields check to its own remote test
* Iterate production rules in required_fields test
* Use direct get_required_fields call in remote test
Skip to_api_format() and call data.get_required_fields(index) directly,
gated on ESQLRuleData. Mirrors the ESQLValidator scope of the fix and
avoids the unrelated packaging steps that to_api_format runs per rule.
* Bump version to 1.6.30
* Centralize ES|QL dynamic field prefix tuple
Define ESQL_DYNAMIC_FIELD_PREFIXES = ("Esql.", "Esql_priv.") in
schemas/definitions.py and reuse it in QueryValidator.get_required_fields,
ESQLValidator.validate_columns_index_mapping, and the remote test.
Single source of truth and consistent ordering across the codebase.
* [New] AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity
Detects when credentials issued through `AssumeRoleWithWebIdentity` for a Kubernetes service account identity are later used for several distinct AWS control-plane actions on the same session access key. Workloads that use EKS IAM Roles for Service Accounts routinely exchange a projected service-account token for short-lived IAM credentials; this rule highlights sessions where that exchange is followed by a spread of sensitive APIs—reconnaissance, secrets and parameter
access, IAM changes, or compute creation—beyond what routine pod traffic usually shows.
* Update initial_access_assumed_web_identity_session_with_multi_phase_api_use.toml
* Update and rename initial_access_assumed_web_identity_session_with_multi_phase_api_use.toml to lateral_movement_k8_assumed_web_identity_session_with_multi_phase_api_use.toml
* Create initial_access_assume_role_with_web_identity_kubernetes_sa_from_external_asn.toml
* Update initial_access_assume_role_with_web_identity_kubernetes_sa_from_external_asn.toml
* Update initial_access_assume_role_with_web_identity_kubernetes_sa_from_external_asn.toml
* Update initial_access_assume_role_with_web_identity_kubernetes_sa_from_external_asn.toml
* [New] Potential Privilege Escalation in Container via Runc Init
Identifies audit events for `runc init` child processes where the effective user is root and the login user ID is not root. This pattern can indicate privilege escalation or credential separation abuse inside container runtimes, where a process executes with elevated effective privileges while retaining a non-root audit identity.
* Update rules/linux/privilege_escalation_container_runc_init_effective_root_auditd.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* Delete rules/linux/privilege_escalation_container_runc_init_effective_root_auditd.toml
* Update rules/integrations/aws/initial_access_assume_role_with_web_identity_kubernetes_sa_from_external_asn.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
* Apply suggestion from @imays11
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
* Update rules/integrations/aws/lateral_movement_k8_assumed_web_identity_session_with_multi_phase_api_use.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
* Update rules/integrations/aws/lateral_movement_k8_assumed_web_identity_session_with_multi_phase_api_use.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
* Update rules/integrations/aws/initial_access_assume_role_with_web_identity_kubernetes_sa_from_external_asn.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* Apply suggestion from @terrancedejesus
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* Apply suggestion from @terrancedejesus
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* Update lateral_movement_k8_assumed_web_identity_session_with_multi_phase_api_use.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [New] Suspicious SUDI Binary Execution
Detects execution of common privilege elevation helpers (su, sudo, pkexec, passwd, chsh, newgrp) under the root effective user when the real user and parent user are not root, combined with minimal argument counts and suspicious parent context (interpreters, short shell -c invocations, or parents running from user-writable paths) :
* Update rules/linux/privilege_escalation_suspicious_sudi_binary_execution.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update rules/linux/privilege_escalation_suspicious_sudi_binary_execution.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update privilege_escalation_suspicious_sudi_binary_execution.toml
* Update privilege_escalation_suspicious_sudi_binary_execution.toml
* Rename privilege_escalation_suspicious_sudi_binary_execution.toml to privilege_escalation_suspicious_suid_binary_execution.toml
* Update privilege_escalation_suspicious_suid_binary_execution.toml
* Update privilege_escalation_suspicious_suid_binary_execution.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* [New] AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure
Detects AWS access keys that are used from both GitHub Actions CI/CD infrastructure and non-CI/CD infrastructure. This pattern indicates potential credential theft where an attacker who has stolen AWS credentials configured as GitHub Actions secrets and is using them from their own infrastructure.
* Update initial_access_github_actions_oidc_credentials_used_from_suspicious_network.toml
* ++
* Update initial_access_github_actions_oidc_credentials_used_from_suspicious_network.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* [New] AWS Rare Source AS Organization Activity
Surfaces an AWS identity whose successful API traffic is dominated by a small set of large cloud-provider source AS organization labels, yet also shows a very small share of traffic from other AS organization names—including at least one sensitive control-plane, credential, storage, or model-invocation action on that uncommon network path with recent
activity from the uncommon path. The intent is to highlight disproportionate “baseline” cloud egress versus sparse use from rarer networks on the same principal, a shape that can appear when automation or CI credentials are reused or pivoted outside their usual hosted-cloud footprint.
* Apply suggestion from @eric-forte-elastic
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Update initial_access_aws_api_unusual_asn.toml
* Update initial_access_aws_api_unusual_asn.toml
* Update initial_access_aws_api_unusual_asn.toml
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* [New] Long Base64 Encoded Command via Scripting Interpreter
Identifies oversized command lines used by Python, PowerShell, Node.js, or Deno that contain base64 decoding or encoded-command patterns. Adversaries may embed long inline encoded payloads in scripting interpreters to evade inspection and execute malicious content across Windows, macOS, and Linux systems.
* Update defense_evasion_long_base64_encoded_interpreter_command_line.toml
* Update defense_evasion_long_base64_encoded_interpreter_command_line.toml
Mika Ayenson, PhD