f7387bb10d
[FR] [DAC] Add Exception Duplication Checking ( #5689 )
...
* Add Exception Duplication Checking
2026-04-29 08:57:07 -04:00
cb3c342b31
Lock versions for releases: 8.19,9.2,9.3,9.4 ( #5998 )
2026-04-29 00:52:04 +05:30
0f521a0848
Fix value lists within exception lists ( #5963 )
...
* Fix value lists within exception lists
2026-04-24 12:23:06 -04:00
b6886f310c
[FR] Add enforcement for deprecated_reason ( #5953 )
2026-04-23 17:15:47 +05:30
2dac152094
Lock versions for releases: 8.19,9.2,9.3,9.4 ( #5972 )
...
* Locked versions for releases: 8.19,9.2,9.3,9.4
---------
Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com >
2026-04-22 20:15:10 -04:00
2029654e79
ESQL validation support fix ( #5970 )
2026-04-22 16:52:37 -04:00
7a54f8be99
Prep for Release 9.4 ( #5965 )
2026-04-23 00:13:05 +05:30
876e4ed535
[Bug ]Fix Kibana version parsing for package version ( #5962 )
...
* [Bug ]Fix kibana version parsing for package version
---------
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2026-04-22 11:25:06 -04:00
d8a39869c5
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 ( #5909 )
...
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2026-04-22 17:36:35 +05:30
9736407ef3
[FR] [DAC] Initial Yaml Support ( #5821 )
...
* Initial Yaml Support
2026-04-10 11:29:15 -04:00
984be4a1ac
[Bug] Small bugfix to address update navigator edge case ( #5942 )
...
* [Bug] Small bugfix to address update navigator edge case
2026-04-10 08:53:56 -04:00
1503976d10
[FR] Load ECS mapping based on supplied stack version ( #5925 )
...
* Load ECS mapping based on supplied stack version
2026-04-09 12:40:10 -04:00
c601edfbb3
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5930 )
2026-04-08 19:44:16 +05:30
88bc42265f
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5926 )
2026-04-07 17:45:00 +05:30
48128c1c66
[Rule Tuning] Entra ID Illicit Consent Grant via Registered Application - Fix New Terms Field ( #5894 )
...
* [Rule Tuning] Entra ID Illicit Consent Grant via Registered Application - Fix New Terms Field
Fixes #5893
* adding non-admin consented filter
* converting to ESQL
* additional query adjustments
* adjusted query KEEP
* updating non-ecs
* Apply suggestion from @terrancedejesus
2026-04-06 09:40:21 -04:00
199a4d6160
Monthly Manifest and Schema Updation ( #5920 )
2026-04-06 17:35:33 +05:30
d9890db6ff
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5888 )
...
* Locked versions for releases: 8.19,9.1,9.2,9.3
* Update pyproject.toml
---------
Co-authored-by: Mikaayenson <Mikaayenson@users.noreply.github.com >
2026-03-26 12:31:50 -05:00
cd19b25485
[New Rule] M365 Azure Monitor Alert Email with Financial or Billing Theme ( #5878 )
...
* [New Rule] M365 Azure Monitor Alert Email with Financial or Billing Theme
Fixes #5877
* adding microsoft_exchange_online_message_trace to manifests/schemas; bumping patch
* updated mitre
* Update rules/integrations/microsoft_exchange_online_message_trace/initial_access_azure_monitor_callback_phishing_email.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* bumping patch
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2026-03-26 10:50:15 -05:00
75ffa5ec4e
[FR] [DaC] Add fine-grained bypass env var for ES|QL keep and metadata validation ( #5869 )
...
* Add fine grain 'keep' req bypass
* Add metadata bypass
2026-03-24 14:36:45 -04:00
b14dec9efa
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5875 )
2026-03-23 23:45:25 +05:30
ade7de7be4
[New Rules] External Promotion Alert for IBM QRadar ( #5843 )
2026-03-20 14:42:43 -05:00
cb5b89f83e
[FR] Includes deprecated rule stubs to the package for upstream testing ( #5813 )
...
* adds scripting to include deprecated rule stubs in package
* remove deprecated manifest from package
* adds 9.4 gate
* bump version
* fix merge conflict
* test
* revert commit hash
* adds deprecated_reason logic from comment
* fix lint error
* fix lint error
* fix formatting
* test
* revert commit hash
* Update detection_rules/packaging.py
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-03-18 14:34:25 -05:00
8b140d5811
[Rule Tuning] Added Traefik Compatibility to Web Server Access Rules ( #5837 )
...
* [Rule Tuning] Added Traefik Compatibility to Web Server Access Rules
* ++
* Bump pyproject.toml
* Bump pyproject.toml
2026-03-17 17:28:47 +01:00
937a7a35e6
[New Rule] Azure Arc Kubernetes Cluster Connect Abuse ( #5824 )
...
* [New Rule] Azure Arc Kubernetes Cluster Connect Abuse
Fixes #5823
* rename, adjusted query
* adding KEEP *
* adjusting maturity
* added to non-ecs schema
* updating rule
* addressing unit test failures
* adjustments to logic, mitre mappings, unit test failures, etc.
* Update rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-03-17 11:06:47 -04:00
49c9c283e6
[FR] Reset deprecated lock to the latest state during lock ( #5827 )
2026-03-16 17:04:56 -05:00
57bf1546dd
[Bug] [DAC] Add filtering to export-rules-from-repo ( #5769 )
...
* Add filtering to export-rules-from-repo
2026-03-10 13:03:52 -04:00
61211a2670
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5820 )
2026-03-10 18:49:55 +05:30
87badac5a0
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5818 )
2026-03-10 15:33:16 +05:30
26d37dd62e
[Bug] Ignore Other Keep Wildcards ( #5792 )
...
* Ignore other Keep Wildcards
* Added a unit test for multiple keeps
* Add keep star unit tests
2026-03-09 19:33:27 -04:00
e08f234b1c
Monthly Manifest and Schema Updation ( #5816 )
...
* Monthly Manifest and Schema Updation
* Update Patch Version
2026-03-09 08:15:06 -05:00
5ecbc0f0b9
[New Rule] Microsoft 365 SharePoint/OneDrive Sensitive Search and File Access ( #5777 )
...
* [New Rule] Microsoft 365 SharePoint/OneDrive Sensitive Search and File Access
Fixes #5776
* adjusting UUIDs
* added additional strings
* adjusted investigation guide
* fixed mitre mappings
* fixed mitre mappings
* Apply suggestion from @terrancedejesus
2026-02-26 14:29:14 -05:00
71c461d867
[New Rule] M365 MFA Notification Email Deleted or Moved ( #5779 )
...
* [New Rule] M365 MFA Notification Email Deleted or Moved
Fixes #5778
* updated non-ecs
* adjusted rule name
* Apply suggestion from @terrancedejesus
2026-02-26 13:21:08 -05:00
8593116f58
[New Rule] Okta User Authentication via Proxy Followed by Security Alert ( #5752 )
...
* [New Rule] Okta User Authentication via Proxy Followed by Security Alert
Fixes #5751
* adjusted to EQL
* fixed syntax
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* removed defense evasion; adjusted maxspan to 30m
* removed Okta tag
* adding Okta back as integration tag
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2026-02-26 11:32:25 -05:00
04ad018f27
[Rule Tuning] M365 OneDrive/SharePoint Excessive File Downloads ( #5767 )
...
* [Rule Tuning] M365 OneDrive/SharePoint Excessive File Downloads
Fixes #5766
* updated non-ecs
* fixing keep command
2026-02-26 10:38:59 -05:00
201660af36
[Bug] Adding Deprecated Rules to Rules Package Breaks Current Package Build ( #5773 )
...
* applying patch fix for historical rules and deprecated JSON object
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2026-02-24 13:54:46 -05:00
92a379e034
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5765 )
2026-02-24 18:49:27 +05:30
5adc118f92
[Bug] ES|QL Validation Add Reverse Lookup Check Against Kibana Value ( #5747 )
...
* Add reverse lookup check against Kibana value
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-02-20 15:29:51 -05:00
a1c3267529
[FR] Add deprecated file to release for upstream testing ( #5749 )
2026-02-20 14:16:27 -06:00
f773103519
[Rule Tuning] Entra ID Federated Identity Credential Persistence Detection ( #5702 )
...
* [Rule Tuning] Entra ID Federated Identity Credential Persistence Detection
Fixes #5701
* updated mitre mapping ID
* adjusted mitre mappings; non-ecs schema file
* fixed trailing comma in non-ecs; adjusted file name
* adjusted file name; fixed non-ecs schema for upstream ESQL validation
* Apply suggestion from @terrancedejesus
* Apply suggestion from @terrancedejesus
* changed lookback to 9 minutes; adjusted keep values
* added setup; added tag
2026-02-19 15:58:12 -05:00
63f76cf004
[Rule Tuning] Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client ( #5681 )
...
* [Rule Tuning] Transform Dormant SharePoint Rule to Detect OAuth Phishing
Fixes #5680
* adjusted query format for unit test; added additional domain tag for storage
* Apply suggestion from @terrancedejesus
* Fix formatting in non-ecs-schema.json
* adjusted description
* re-order mappings
2026-02-19 10:09:15 -05:00
62cc9f105d
[Rule Tuning] Okta User Assigned Administrator Role ( #5671 )
...
Fixes #5670
2026-02-12 09:33:25 -05:00
f306404fe5
[Bug] CLI adds frequency field to system actions (.cases), causing import failure ( #5690 )
...
* No frequency field to cases
2026-02-11 15:18:20 -05:00
f74c04d11a
[Bug] ESQL validation keep Clause Reported Missing Metadata Fields ( #5717 )
...
* Update Keep Field to Handle Comments
* Update for handling inline comments
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2026-02-11 15:02:23 -05:00
df9c27d82e
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5708 )
2026-02-10 11:14:23 +05:30
70d7f2b6b1
Monthly Manifest and Schema Updation ( #5697 )
2026-02-10 09:17:04 +05:30
64a08cd6af
[New Rules] Misc. K8s RBAC Abuse Rules ( #5673 )
...
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [New Rules] Misc. K8s RBAC Abuse Rules
* --
* Update non-ecs-schema
* Update to make unit tests happy
* Mitre mapping updates
* Fix query logic for service account role bindings
* Fix formatting in persistence_service_account_bound_to_clusterrole rule
2026-02-05 17:42:03 +01:00
694376bd7a
[Bug] Fix UTF-8 Encoding for Rule File Operations ( #5684 )
...
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [Bug] Fix UTF-8 Encoding for Rule File Operations
2026-02-05 14:21:30 +01:00
362c459094
[New] Multiple Machine Learning Alerts by Influencer Field ( #5660 )
...
* [New] Multiple Machine Learning Alerts by Influencer Field
This rule uses alerts data to determine when multiple different machine learning alerts involving the same influencer field are triggered. Analysts can use this to prioritize triage and response, as these entities are more likely to be more suspicious.
* Update multiple_machine_learning_jobs_by_entity.toml
* Update multiple_machine_learning_jobs_by_entity.toml
* Update non-ecs-schema.json
* Update multiple_machine_learning_jobs_by_entity.toml
* Update non-ecs-schema.json
2026-02-04 12:25:59 +00:00
59e394f36b
[doc fix] Adjust wording in the docs for Kibana import/export commands ( #5600 )
...
* Wording fix
* Version bump
* Style fixes
* Style fix for tests
2026-02-04 11:17:58 +01:00
c455d3d98a
[Rule Tuning] Full Kubernetes Ruleset ( #5659 )
...
* [Rule Tuning] Full Kubernetes Ruleset
* ++
* Update manifests & schemas
* Update pyproject.toml
* Added "kubernetes.audit.userAgent" to non_ecs
* Updated kubernetes.audit.requestObject.spec.containers.image of type text to Keyword
* Apply suggestion from @Aegrah
* Apply suggestion from @Aegrah
* Update privilege_escalation_pod_created_with_hostnetwork.toml
* Apply suggestion from @Aegrah
* Update privilege_escalation_pod_created_with_hostipc.toml
* Apply suggestion from @Mikaayenson
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* ++
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-02-04 10:42:41 +01:00
Eric Forte