3e1c6f38e4
Update Entity related Kibana prebuilt ML rules with new _ea ML job ID and update minimum stack versions ( #5794 )
...
* Update euid job ids and min stack version
* Update euid job ids and min stack version
* Update job suffix from _euid to _ea
* Update pad okta rules
* Update min_stack_comments
* Update gcp audit rules
* Update rules based on new changes
* Add rule for v3_windows_rare_script_ea job
* Update updated_date for rule to pass test
* Remove integrations-only changes (moved to euid-rules-update-integrations branch)
DED, DGA, LMD, PAD, and ProblemChild ML rule changes have been moved to the
euid-rules-update-integrations branch which corresponds to integrations#17626.
This branch (euid-rules-update) now only contains Kibana-related ML rule changes.
Made-with: Cursor
* Update stale updated_date to 2026/04/01 across all modified ML rules
Made-with: Cursor
* Bump min_stack_version from 9.3.0 to 9.4.0 in azure/gcp city/country/user rules
Made-with: Cursor
* Add min_stack_comments to those missing
2026-04-02 09:25:14 -04:00
8993d1450b
[Rule Tuning] Add Supplemental Mitre Mappings ( #5876 )
...
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2026-04-01 09:12:42 -05:00
4233059510
[Rule Tuning] Unusual Process For a Windows Host - from for 6h bucket span ( #5797 )
2026-03-03 14:56:30 -05:00
7595709a25
add mitre attack rules for ML job rules, bump dates ( #5333 )
...
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com >
2025-12-01 15:48:59 -06:00
e8c54169a4
Prep main for 9.1 ( #4555 )
...
* Prep for Release 9.1
* Update Patch Version
* Update Patch version
* Update Patch version
2025-03-26 11:04:14 -04:00
a1d6ff4a50
Added ML detection-rules for new Security Host package ( #4519 )
...
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com >
2025-03-06 19:53:29 +05:30
818467f132
Replace master doc URLs with current ( #4439 )
2025-02-03 21:27:50 +05:30
fe8c81d762
[FR] Generate investigation guides ( #4358 )
2025-01-22 11:17:38 -06:00
123e090e7d
Fix Minstack version for windows integration - Pahse 2 ( #4216 )
2024-10-28 20:25:02 +05:30
92fe46b8ff
Fix Minstack version for windows integration ( #4214 )
2024-10-28 19:28:10 +05:30
51b9717ac0
Adding setup templates to the ML rules ( #3798 )
...
* Added setup instructions for ml rules
2024-06-19 10:04:41 -04:00
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
71d2c59b5c
Back-porting Version Trimming ( #3681 )
2024-05-23 00:11:50 +05:30
9482bda414
Adding related integrations to ML rules ( #2972 )
...
* Adding related integrations to ML rules
* added adjustments to determine related integrations for ML rules
* fixed lint errors
* Empty commit
* Empty commit
* Empty commit
---------
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.lan >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.fritz.box >
2023-08-22 14:39:18 -04:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
c60e1a61a9
Updating some rule names ( #2744 )
...
* Changing some rule names
* Updating the date
2023-04-25 09:01:06 -03:00
411ec36ff0
Validate markdown plugin fields ( #2602 )
2023-03-28 09:17:50 -04:00
38b8311482
[Security Content] Expand Abbreviated Tags ( #2414 )
...
* [Security Content] Expand Abbreviated Tags
* .
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Revert changes to deprecated rules
* Bump updated_date
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-03-06 17:37:52 -03:00
1a4510c9d4
[Security Content] Add Investigation Guides to Windows Rules - 2 ( #2534 )
...
* [Security Content] Add Investigation Guides to Windows Rules - 2
* tags
* Adjust some phrasing based on the review
* Update credential_access_bruteforce_admin_account.toml
* Missing Osquery Note
* Missing note
2023-03-01 21:23:09 -03:00
f17b6f1702
[Security Content] Fix verbiage used on Osquery Note ( #2513 )
...
* [Security Content] Fix verbiage used on Osquery Note
* Adjust verbiage
* date bump
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-02-22 12:33:23 -03:00
f8e97da549
Rule Tuning Update MITRE Details ( #2526 )
...
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-02-10 23:05:28 +05:30
443478c8c0
[Rule Tuning] Rule Tunings to add T1078 technique and subtechniques ( #2530 )
...
- add sub-techniques and techniques
2023-02-08 11:18:13 -05:00
5575400ee9
[Security Content] Add Investigation Guides for ML rules ( #2405 )
...
* [Security Content] Add Investigation Guides for ML rules
* .
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Place the guide in the correct rule
* Update guides to address IG refactor, and address sugestions
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-01-30 13:12:45 -03:00
0aa87d7f4a
[Rule Tuning] Unusual Process For a Linux Host ( #2445 )
...
* [Rule Tuning] Unusual Process For a Linux Host
* .
2023-01-23 21:03:29 -03:00
ac01718bb6
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag ( #2352 )
...
* [Rule Tuning] Add tags to flag Sysmon-only rules
* Modify tags
* Revert "Modify tags"
This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.
* Modify tags
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
2022-11-18 12:32:27 -03:00
4997f95300
[Rule Tuning] Link Elastic Security Labs content to compatible rules ( #2388 )
...
* added elastic security labs URL references
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog.
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog.
* Update rules/ml/execution_ml_windows_anomalous_script.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog.
* added credential access URL for mimikatz rules
* updated version ml windows anomalous script rule
* removed change to macOS rule since no blog correlation
2022-11-07 15:17:49 -05:00
ec04a39413
[Security Content] Tag rules with robust Investigation Guides ( #2297 )
2022-09-23 14:20:32 -03:00
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
e8c39d19a7
[Rule Tuning] Missing MITRE ATT&CK Mappings ( #2073 )
...
* initial commit with eggshell mitre mapping added
* adding updated rules
* [Rule Tuning] MITRE for GCP rules
I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.
* [Rule Tuning] Endgame Rule name updates for Mitre
Updated Endgame rule names for those with Mitre tactics to match the tactics.
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* adding 10 updated rules for google_workspace, ml and o365
* adding 22 rule updates for mitre att&ck mappings
* adding 24 rule updates related mainly to ML rules
* adding 3 rules related to detection via ML
* adding adjustments
* adding adjustments with solutions to recent pytest errors
* removed tabs from tags
* adjusted mappings and added techniques
* adjusted endgame rule mappings per review
* adjusted names to match different tactics
* added execution and defense evasion tag
* adjustments to address errors from merging with main
* added newlines to rules missing them at the end of the file
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-07-22 14:30:34 -04:00
9a739b7e4c
Modifying rules assoc w/ deprecation of v2 ML jobs ( #1846 )
...
* modifying rules assoc w/ deprecation of v2 ML jobs
* modified updated_date field
* fixed machine_learning_job_id and added min_stack_version
* replacing rest of deprecated jobs with new naming convention
* Update ml_suspicious_login_activity.toml
* removing rules assoc w/ deprecated ML jobs
* Update rules/ml/ml_linux_anomalous_compiler_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_linux_anomalous_compiler_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* updated ml job rules to reflect 8.3 changes
* updating min_stack_version for ml detection rules
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com >
2022-05-20 13:02:27 -07:00
1c50f35aed
[Security Content] Update rules based on docs review ( #1803 )
...
* Adds suggestions from security-docs
* Update rules/windows/lateral_movement_powershell_remoting_target.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-03-01 21:39:30 -03:00
72c64de3f5
[Rule tuning] Update rules based on docs review ( #1663 )
...
* [Rule tuning] Update rule verbiage based on docs review
* fix typos
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* revert TI rule changes since it was deprecated
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-01-28 10:41:22 -09:00
5bdf70e72c
Add min_stack_comments to metadata schema ( #1573 )
...
* Add min_stack_comments to metadata schema
2021-10-19 20:52:53 -08:00
5e4a7e67df
[Rule Tuning] Small update on rule descriptions ( #1508 )
2021-09-30 12:54:15 -08:00
9ff3873ee7
[rule-tuning] Adding more context with triage/investigation ( #1481 )
...
* [rule-tuning] Adding more context with triage/investigation
* Adding mimikatz rule
* Fixed updated date on mimikatz rule
* Adding Defender update
* Adding scheduled task
* Adding AdFind
* Adding rare process
* Adding cloudtrail country
* Adding cloudtrail spike
* Adding threat intel
* Fixed minor spelling/syntax
* Fixed minor spelling/syntax p2
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_rare_process_by_host_windows.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Removed MITRE link, added Microsoft
* Update ml_cloudtrail_error_message_spike.toml
* Update ml_cloudtrail_rare_method_by_country.toml
* Update ml_rare_process_by_host_windows.toml
* Update credential_access_mimikatz_powershell_module.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update discovery_adfind_command_activity.toml
* Update lateral_movement_dns_server_overflow.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-09-15 20:07:21 -05:00
51a2bc815b
[Rule tuning] Fix typo in ML rule descriptions ( #1484 )
2021-09-14 11:37:01 -05:00
655f7d91d0
[Rule tuning] Fix spacing in reference URLs ( #1455 )
2021-08-31 15:59:06 -08:00
ddec37b731
Fix typos discovered by codespell ( #1430 )
2021-08-14 20:29:10 -08:00
f8f643041a
[Rule tuning] Revise rule description and other text ( #1398 )
2021-08-03 13:07:47 -08:00
1882f4456c
[Fleet] Track integrations in folder and metadata ( #1372 )
...
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
2021-07-21 15:24:56 -06:00
c82e89ad34
Add min_stack_version to 7.14+ only rules ( #1321 )
2021-07-06 13:42:09 -06:00
e41fe620e6
[New Rule] Add detection rules for auth ML jobs ( #1283 )
...
* Adding detection rules for auth ML jobs
* name prefix
added the prefix "auth" to the file names
* Added descriptions
* Adding new lines and updating license
* FP text
added FP metadata
Co-authored-by: Craig <mailredirector36@gmail.com >
2021-06-16 16:00:17 -07:00
e0fa25ae8e
Fix rules which were note using v2 license ( #1291 )
2021-06-16 08:21:30 -06:00
49cb2e8dbf
[Bug] Fix ML job IDs that used hyphens ( #1287 )
...
* Fix ML job IDs that used hyphens
* Update ml_high_count_network_denies.toml
* Update ml_spike_in_traffic_to_a_country.toml
* Set updated_date
2021-06-15 11:40:47 -06:00
1f7c88c6f4
Updating rules to query v2 ( #1254 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-06-15 07:20:50 -07:00
6ef5c53b0c
Cleanup note field in rules ( #1194 )
...
* standardize usage of note field
2021-05-10 13:40:56 -08:00
3876ef3a37
Adjust loopback for Cloudtrail ( #1103 )
...
* #1092 adjusting loopback for cloudtrail
* refactored time interval, adjusted updated_date
* reverting bucket interval back to 15m
2021-04-13 13:58:13 -04:00
0095a80014
Network rules for the 7.13 release ( #1087 )
...
* Adding network rules for the 7.13 release
* Adding rule guids
* Update rules/ml/ml_high_count_network_denies.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_rare_destination_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_high_count_network_events.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/ml/ml_spike_in_traffic_to_a_country.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Minor changes
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-04-08 09:34:47 -07:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
Susan