security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,278 Commits 1 Branch 0 Tags
b0d3d7d960f759897fdb45ea5d7ddbbfbbf029d1
Commit Graph

210 Commits

Author SHA1 Message Date
Jonhnathan b956a4350f [Rule Tuning] Multiple Alerts Involving a User (#5498) 
* [Rule Tuning] Multiple Alerts Involving a User

* Update multiple_alerts_involving_user.toml

* Update multiple_alerts_involving_user.toml

* Update non-ecs-schema.json

* ++

* Update multiple_alerts_involving_user.toml

* ++

* Update non-ecs-schema.json
 2025-12-19 12:57:25 -03:00
Samirbous 95cf506c9d [New] Suricata and Elastic Defend Network Correlation (#5443) 
* [New] Suricata and Elastic Defend - Command and Control Correlation

This detection correlates Suricata alerts and events with Elastic Defend network events to identify the source process
performing the network activity.

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

* Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* add suricata to schemas

* merge from main

* reset schemas

* Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-12-19 09:08:31 +00:00
Samirbous a1e40de4a5 [New] Alerts From Multiple Integrations by Entity (#5460) 
* [New] Alerts From Multiple Integrations by Entity IP

Higher-Order Rules that trigger on different integrations with different event.category (e.g. authentication with endpoint, email with network etc.) for the same entity (user, IP) in an interval of 4 hours. rule is set to run every 1h.

- Alerts From Multiple Integrations by Source Address
- Alerts From Multiple Integrations by Destination IP
- Alerts From Multiple Integrations by User Name

* ++

* ++

* ++

* ++

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update multiple_alerts_from_different_modules_by_dstip.toml

* Update multiple_alerts_from_different_modules_by_dstip.toml

* Update multiple_alerts_from_different_modules_by_srcip.toml

* Update multiple_alerts_from_different_modules_by_user.toml

* Update multiple_alerts_from_different_modules_by_dstip.toml

* Update multiple_alerts_from_different_modules_by_srcip.toml

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update multiple_alerts_from_different_modules_by_dstip.toml

* Update multiple_alerts_from_different_modules_by_srcip.toml

* Update multiple_alerts_from_different_modules_by_user.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-18 18:04:58 +00:00
Samirbous b996a29451 [Tuning] Diverse Rules Tuning (#5482) 
* [Tuning] Diverse Rules Tuning

* Update persistence_shell_profile_modification.toml

* Update defense_evasion_ml_suspicious_windows_event_low_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* ++

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Update persistence_shell_profile_modification.toml

* Revert "Update credential_access_potential_linux_ssh_bruteforce_internal.toml"

This reverts commit bad889a30d3f4a028de2b6624307f75b279a205b.

* Update persistence_web_server_sus_destination_port.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_low_probability.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-18 15:30:12 +00:00
Samirbous 6ac69db7ba [Tuning] Elastic Defend and Email Alerts Correlation (#5459) 
* [Tuning] Elastic Defend and Email Alerts Correlation

this rule uses the logs-* generic index, which causes failures on clusters without an email related integration with `destination.user.name` populated.  for now limiting the rule to checkpoint email security and we can add more or users can customize it by adding more indexes.

* add checkpoint_email manifest and schema

* Update pyproject.toml

* Update multiple_alerts_email_elastic_defend_correlation.toml
 2025-12-15 15:33:10 +00:00
Samirbous a6548d9773 Update defense_evasion_agent_spoofing_multiple_hosts.toml (#5446) 2025-12-12 17:47:11 +00:00
Samirbous 3726611b93 [Tuning] Top Noisy Rules (#5449) 
* [Tuning] Windows BruteForce Rules Tuning

#1 Multiple Logon Failure from the same Source Address: converted to ES|QL and raised the threshold to 100 failed auths, alert quality should be better since it aggregates all failed auths info into one alert vs multiple EQL matches. (expected reduction more than 50%)

#2 Privileged Account Brute Force - coverted to ESQL and set the threshold to 50 in a minute. this should drop noise volume by more than 50%.

* ++

* Update execution_shell_evasion_linux_binary.toml

* Update execution_shell_evasion_linux_binary.toml

* Update defense_evasion_indirect_exec_forfiles.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update persistence_service_windows_service_winlog.toml

* Update credential_access_lsass_openprocess_api.toml

* Update persistence_suspicious_scheduled_task_runtime.toml

* Update impact_hosts_file_modified.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

* Update rules/windows/credential_access_lsass_openprocess_api.toml

* Update rules/windows/credential_access_bruteforce_admin_account.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update credential_access_lsass_openprocess_api.toml

* Update impact_hosts_file_modified.toml

* Update credential_access_dollar_account_relay.toml

* Update credential_access_new_terms_secretsmanager_getsecretvalue.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-12 14:28:12 +00:00
Samirbous fcb6c3c433 [Tuning] Suspicious React Server Child Process (#5447) 
* Update initial_access_execution_susp_react_serv_child.toml

* Update initial_access_execution_susp_react_serv_child.toml
 2025-12-12 10:40:23 +00:00
Terrance DeJesus cabf1c2a02 [Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172) 
* Tuning azure and m365 rule names and file paths

* addressing unit test failures

* addressing unit test failures

* Changed Frontdoor to Front Door

* removed extra space in name

* adjusted Microsoft 365 to M365 in rule name

* Update rules/integrations/azure/credential_access_storage_account_key_regenerated.toml

* Update rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml

* Update rules/integrations/azure/execution_automation_runbook_created_or_modified.toml

* Update rules/integrations/azure/persistence_automation_account_created.toml

* Update rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml

* Update rules/integrations/azure/persistence_automation_webhook_created.toml

* Update rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml

* Update rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml

* Update rules/integrations/azure/persistence_event_hub_created_or_updated.toml

* Update rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml

* Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* fixed additional rule names

* Update rule dates and investigation guide headers

- Set updated_date to 2025/12/10 for all modified rules
- Fix investigation guide headers to match actual rule names
- Ensures compliance with test_rule_change_has_updated_date
- Ensures compliance with test_investigation_guide_uses_rule_name

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* changed kibana alert rule name to rule ID

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
 2025-12-10 12:59:50 -05:00
Jonhnathan 7a54ae33a5 [Rule Tuning] Add Missing Metadata to KEEP conditions (#5442) 
* [Rule Tuning] Add Missing Metadata to KEEP conditions

* Add them all

* ++

* date bump

* Update rules_building_block/discovery_ec2_multi_region_describe_instances.toml
 2025-12-09 17:05:20 -08:00
shashank-elastic 58a514340b December Schema Refresh (#5420) 2025-12-08 22:07:46 +05:30
Ruben Groenewoud 7aacebba02 [Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration (#5421) 2025-12-08 18:54:23 +05:30
Ruben Groenewoud bd9b1f222d [Rule Tuning] Suspicious React Server Child Process (#5419) 2025-12-08 12:50:41 +01:00
Terrance DeJesus cea2f43732 [New Rule] AWS EC2 LOLBin Execution via SSM (#5354) 
* [New Rule] AWS EC2 LOLBin Execution via SSM
Fixes #5353

* updated from command

* removed high order tag

* adjusted query logic

* updated reference

* add ESQL_priv. to keep

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

* cleaned up comments

* updating query logic to use coalesce

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* added SSM tag

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-12-05 16:14:33 -05:00
Mika Ayenson, PhD f40a383b7e [New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 12:26:56 -06:00
Ruben Groenewoud 72a2b44db1 [Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413) 
* [Rule Tuning] Interval fix + Datastream values to ESQL Rules

* Update persistence_web_server_potential_command_injection.toml
 2025-12-05 16:42:52 +01:00
Samirbous f427735610 [Tuning] Suspicious React Child Process (#5414) 
* Update initial_access_execution_susp_react_serv_child.toml

* Update initial_access_execution_susp_react_serv_child.toml

* Enhance EQL query for process execution detection

* Update initial_access_execution_susp_react_serv_child.toml

* Update initial_access_execution_susp_react_serv_child.toml

* Update rules/cross-platform/initial_access_execution_susp_react_serv_child.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 11:26:48 +00:00
Ruben Groenewoud e1166652c4 [New Rule] Web Server Potential Remote File Inclusion Activity (#5394) 
* [New Rule] Web Server Potential Remote File Inclusion Activity

* Add min_stack_version and comments to TOML file

Added minimum stack version and comments for clarity.

* Update rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Add data_stream.namespace to event stats

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-12-05 09:57:56 +01:00
Ruben Groenewoud 4920e9a60f [New Rule] Web Server Local File Inclusion Activity (#5393) 
* [New Rule] Web Server Local File Inclusion Activity

* Update discovery_web_server_local_file_inclusion_activity.toml

* Update discovery_web_server_local_file_inclusion_activity.toml

* Update discovery_web_server_local_file_inclusion_activity.toml

* Update rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Add data_stream.namespace to event statistics

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-12-05 09:47:29 +01:00
Samirbous 36baf8c898 [New] Suspicious React Server Child Process (#5407) 
* [New] Suspicious React Server Child Process

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

* Update initial_access_execution_susp_react_serv_child.toml
 2025-12-04 21:32:20 +00:00
Samirbous 166da45561 [New] Multiple Cloud Secrets Accessed by Source Address (#5388) 
* [New] Multiple Cloud Secrets Accessed by Source Address

This rule detects authenticated sessions accessing secret stores across multiple cloud providers from the same source
address within a short period of time. Adversaries with access to compromised credentials or session tokens may attempt
to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault in rapid
succession to expand their access or exfiltrate sensitive information.

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-12-04 18:04:25 +00:00
Ruben Groenewoud efef99befd [New Rule] Potential HTTP Downgrade Attack (#5372) 
* [New Rule] Potential HTTP Downgrade Attack

* Update defense_evasion_potential_http_downgrade_attack.toml
 2025-12-04 16:23:38 +01:00
Ruben Groenewoud f42b5143a6 [New Rule] Initial Access via File Upload Followed by GET Request (#5371) 
* [New Rule] Initial Access via File Upload Followed by GET Request

* Slightly increase timespan

* ++

* Update rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-12-04 16:10:13 +01:00
Terrance DeJesus 7a884ebe2b [Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform (#5403) 
* [Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform
Fixes #5402

* removed rule from Linux directory

* adjusted mitre for unit tests

* Update rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* expanding to S1

* adding integration metadata

* Add 'start' action to Node.js install script detection

* Update rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-04 09:07:12 -05:00
Samirbous 02979fec68 [New/Tuning] NPM Shai-Hulud coverage (#5368) 
* [New/Tuning] NPM Shai-Hulud coverage

https://socket.dev/blog/shai-hulud-strikes-again-v2

* Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml

* Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml

* Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml

* Update credential_access_trufflehog_execution.toml

* Update credential_access_trufflehog_execution.toml

* Update credential_access_trufflehog_execution.toml

* Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/execution_register_github_actions_runner.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/execution_via_github_actions_runner.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Create initial_access_github_register_self_hosted_runner.toml

* Update initial_access_github_register_self_hosted_runner.toml

* Update initial_access_github_register_self_hosted_runner.toml

* Update initial_access_github_register_self_hosted_runner.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-02 10:57:12 +00:00
Ruben Groenewoud 046d52c902 [New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (#5370) 
* [New Rule] Execution via GitHub Runner with Audit Disabled via Environment Variables

* [New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners

* ++

* ++

* Update execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml

* Remove 'Use Case: Vulnerability' entry

Removed 'Use Case: Vulnerability' from the list.

* Add timestamp override to GitHub runner execution rules

* Update rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml

* Enhance guide for RUNNER_TRACKING_ID tampering

Added detailed investigation guide for tampering with RUNNER_TRACKING_ID in GitHub Actions runners, including triage steps, false positive analysis, and remediation actions.
 2025-12-02 10:22:24 +01:00
Ruben Groenewoud e8ecba7d00 [New Rule] Potential Secret Scanning via Gitleaks (#5377) 
* [New Rule] Potential Secret Scanning via Gitleaks

* Enhance investigation guide for Gitleaks credential access

Updated the note section with detailed investigation steps, false positive analysis, and response/remediation guidelines for Gitleaks usage.

* Update rules/cross-platform/credential_access_gitleaks_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-12-02 09:42:19 +01:00
Ruben Groenewoud 2abd3de795 [New Rule] Privileged Container Creation with Host Directory Mount (#5373) 
* [New Rule] Privileged Container Creation with Host Directory Mount

* ++

* ++

* Update execution_privileged_container_creation_with_host_reference.toml

* Update risk score and severity in TOML file

* Update execution_privileged_container_creation_with_host_reference.toml

* Update rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml

* Add reference link for container escape techniques
 2025-12-02 09:33:16 +01:00
Ruben Groenewoud e19ce18a40 [Rule Tunings] Misc. Web Server Rules (#5384) 2025-12-02 09:21:16 +01:00
Samirbous bcd1b5049a Update multiple_alerts_elastic_defend_netsecurity_by_host.toml (#5375) 2025-12-01 07:18:19 -08:00
Ruben Groenewoud d10dc0809f [Rule Tuning] Credential Access via TruffleHog Execution (#5362) 2025-11-25 12:18:42 +01:00
shashank-elastic 5386345ca7 Add Investigation Guides for Rules (#5357) 2025-11-25 01:08:15 +05:30
Eric Forte 13738b5d17 Tune rule indices (#5359) 2025-11-24 14:03:50 -05:00
Ruben Groenewoud 94ff4b0e3e [New Rule] Web Server Potential Command Injection Request (#5341) 
* [New Rule] Web Server Potential Command Injection Request

* Update variable names to use consistent casing

* Add 'Domain: Network' tag to command injection rule

* Update persistence_web_server_potential_command_injection.toml

* adding missing tags

* Update rules/cross-platform/persistence_web_server_potential_command_injection.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update rules/cross-platform/persistence_web_server_potential_command_injection.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-11-25 00:11:28 +05:30
Ruben Groenewoud b0cc0cbe13 [New Rule] Web Server Suspicious User Agent Request Spike (#5340) 
* [New Rule] Web Server Unusual User Agent Request

* [New Rule] Web Server Suspicious User Agent Request Spike

* Update reconnaissance_web_server_unusual_user_agents.toml

* Update reconnaissance_web_server_unusual_user_agents.toml

* ++

* ++

* Rename rule for suspicious user agent requests

* fixing from indices formatting

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-11-25 00:00:22 +05:30
Ruben Groenewoud 4f8c967185 [New Rule] Web Server Unusual Spike in Error Logs (#5339) 
* [New Rule] Web Server Unusual Spike in Error Logs

* Update reconnaissance_web_server_unusual_spike_in_error_logs.toml

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

* ++

* Remove event limit from error log rule

Removed limit on the number of events in the rule.

* Rename rule to 'Web Server Potential Spike in Error Logs'

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

* Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-11-24 13:18:23 -05:00
Ruben Groenewoud 296049e1ff [New Rule] Web Server Unusual Spike in Error Response Codes (#5338) 
* [New Rule] Web Server Unusual Spike in Error Response Codes

* Update reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

* Update tags in reconnaissance web server rule

* Add network domain tag and modify ESQL queries

* Remove url.path from error response rules

* ++

* Update reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

* Update reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

* fixing from indices formatting

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-11-24 13:08:25 -05:00
Ruben Groenewoud 167def0bc1 [New Rule] Web Server Discovery or Fuzzing Activity (#5337) 
* [New Rule] Web Server Discovery or Fuzzing Activity

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add case handling for URL normalization in rule

* Replace url.path with Esql_url_lower in TOML file

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* ++

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add manifest and schema updates

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* ++

* Update fortigate schemas

* Revert "Update fortigate schemas"

This reverts commit b7c87b0ff50c6d36ba7e6c223de2813d7edceb03.

* Revert "++"

This reverts commit 7f5d860da6012218c586f90e98cb5eb0c9c0ede5.

* [New Rule] Web Server Discovery or Fuzzing Activity

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add case handling for URL normalization in rule

* Replace url.path with Esql_url_lower in TOML file

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* ++

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Add manifest and schema updates

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* Added schema/manifest updates

* ++

* Update reconnaissance_web_server_discovery_or_fuzzing_activity.toml

* revert manifests / schemas to main

* adds nginx, iis, apache_tomcat, apache to integration manifests and schemas

* bumping patch version

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2025-11-24 12:40:12 -05:00
Samirbous fda139f4bf [New] Alerts in Different ATT&CK Tactics by Host (#5343) 
* [New] Alerts in Different ATT&CK Tactics by Host

Using ES|QL and alerts risk score to identify top risky hosts based on presence of multiple alert touching at least 4 unique tactics in a 24h time Window.

* Update multiple_alerts_risky_host_esql.toml

* Update multiple_alerts_risky_host_esql.toml

* Update multiple_alerts_risky_host_esql.toml

* Update multiple_alerts_risky_host_esql.toml

* Update multiple_alerts_risky_host_esql.toml

* Update non-ecs-schema.json

* ++

* Update multiple_alerts_edr_elastic_defend_by_host.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-11-24 22:46:09 +05:30
Samirbous 01c74e7e26 [New] Elastic Defend and Email Alerts Correlation (#5336) 
* Create multiple_alerts_email_elastic_defend_correlation.toml

* Update multiple_alerts_email_elastic_defend_correlation.toml

* Update multiple_alerts_email_elastic_defend_correlation.toml

* Update rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update multiple_alerts_email_elastic_defend_correlation.toml

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-11-24 22:26:00 +05:30
Samirbous d946bb36b7 [New] Elastic Defend and Network Security Alerts Correlation (#5332) 
* [New] Elastic Defend and NG-Firewall Alerts Correlation

This rule correlate any Elastic Defend alert with a set of suspicious events from Next-Gen Firewall like PAN and Fortigate by host.ip. This may indicate that this host is compromised and triggering multi-datasource alerts.

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Add suricata and fortinet_fortigate

* ++

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update pyproject.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-11-24 22:15:15 +05:30
Samirbous 8577bf47b7 [New] PANW Command and Control Correlation (#5331) 
* [New] PANW Command and Control Correlation

This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify the source process performing the network activity.

* Update rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_pan_elastic_defend_c2.toml

* Update command_and_control_pan_elastic_defend_c2.toml

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-11-24 14:01:52 +00:00
Samirbous 7fe3831078 [New] SOCKS Traffic from an Unusual Process (#5324) 
* [New] SOCKS Traffic from an Unusual Process

This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
or act as an intermediary for network communications to a command and control server to avoid direct connections to their
infrastructure.

* Update command_and_control_socks_fortigate_endpoint.toml

* Update command_and_control_socks_fortigate_endpoint.toml

* Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update command_and_control_socks_fortigate_endpoint.toml

* add fortinet schema and manif

* Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update pyproject.toml

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-11-24 13:18:30 +00:00
Samirbous b16f22f60c [Tuning] Agent Spoofing - Multiple Hosts Using Same Agent (#5313) 
* Update defense_evasion_agent_spoofing_multiple_hosts.toml

* Update defense_evasion_agent_spoofing_multiple_hosts.toml

* Update defense_evasion_agent_spoofing_multiple_hosts.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-11-24 12:59:49 +00:00
Samirbous 7b6f4864f0 Update defense_evasion_agent_spoofing_mismatched_id.toml (#5312) 2025-11-13 17:26:29 +00:00
Ruben Groenewoud 700443bc97 [New Rule] Potential Git CVE-2025-48384 Exploitation (#5301) 
* [New Rule] Potential Git CVE-2025-48384 Exploitation

* ++

* Update execution_git_exploit_cve_2025_48384.toml

* Update execution_git_exploit_cve_2025_48384.toml

* Update rules/cross-platform/execution_git_exploit_cve_2025_48384.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/cross-platform/execution_git_exploit_cve_2025_48384.toml

* Update rules/cross-platform/execution_git_exploit_cve_2025_48384.toml

* Update execution_git_exploit_cve_2025_48384.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-11-12 15:45:52 +01:00
Alessandro Stoltenberg 21217e5536 [Rule Tuning] Elastic Agent Service Terminated (#5272) 
* rule-tuning: Elastic Agent service termination improve for detection

* [Rule Tuning]: Elastic Agent Service terminated, updated date field

* Enhance detection rules for stopping Elastic Agent

* Fix syntax for process name checks in TOML file

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-11-12 08:34:34 -03:00
Samirbous 29393f2ca4 [New] New USB Storage Device Mounted (#5299) 
* Revise USB device mounting detection rule

Updated detection rule for USB device mounting to use device serial number instead of friendly name. Enhanced investigation steps and response actions for better clarity.

* Update initial_access_exfiltration_new_usb_device_mounted.toml

* Update rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml

* Update initial_access_exfiltration_new_usb_device_mounted.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-11-11 09:28:54 +00:00
shashank-elastic 56c40b18f0 Ignore agentless executions in agent_id_status events. (#5295) 2025-11-10 22:18:51 +05:30
shashank-elastic 3397b7e707 Monthly Schema Updates (#5187) 2025-10-06 21:39:14 +05:30