* [Tuning] Potential Ransomware Behavior - Note Files by System
added host.id and removed noisy patterns (writes to non C drive)
* Update impact_high_freq_file_renames_by_kernel.toml
* Apply suggestion from @Mikaayenson
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* Update impact_high_freq_file_renames_by_kernel.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [Tuning] Suricata and Elastic Defend Network Correlation
Nessus is main source of noise.
* Update command_and_control_suricata_elastic_defend_c2.toml
* [Rule Tunings] AWS removal of target.entity.id and actor.entity.id fields
Related Issue : - https://github.com/elastic/security-team/issues/14019
`target.entity.id` and `related.entity.id` fields will soon be fully removed from the AWS Integration. This rule tuning replaces rule queries that relied on `target.entity.id` with the equivalent field `entity.target.id` which was introduced with AWS version 4.7.0 along with several new entity classification fields. This tuning also removes references to these fields in highlighted fields and investigation guides for several rules.
* update data for defense_evasion_route53_dns_query_resolver_config_deletion.toml
update data for defense_evasion_route53_dns_query_resolver_config_deletion.toml
* updated_dates
* [Rule Tunings] AWS remove target.entity.id and actor.entity.id fields
adding min_stack to rules using the field `entity.target.id`, we determined AWS version 4.7.0 is compatible with Kibana versions '^8.19.4 || ^9.1.4'. We reverted the initial PR and this one adds the min_stack_version.
Original PR: - https://github.com/elastic/detection-rules/pull/5563
______
### Issue Link
- https://github.com/elastic/ia-trade-team/issues/781
## Summary - What I changed
`target.entity.id` and `actor.entity.id` fields will soon be fully removed from the AWS Integration. This rule tuning replaces rule queries that relied on `target.entity.id` with the equivalent field `entity.target.id` which was introduced with AWS version 4.7.0 along with several new entity classification fields. This tuning also removes references to these fields in highlighted fields and investigation guides for several rules.
<img width="1622" height="1488" alt="image" src="https://github.com/user-attachments/assets/024fbdb2-c0e4-4785-9735-5285218e4fa9" />
## Rules with Query Changes
**AWS IAM Customer-Managed Policy Attached to Role by Rare User
AWS IAM Assume Role Policy Update**
Both of these rules relied on `target.entity.id` as a new terms field, this field has been replaced with `entity.target.id` field which is populating the same value for the event.actions these rules trigger on, as shown in the screenshot below.
<img width="1600" height="445" alt="Screenshot 2026-01-15 at 12 13 17 PM" src="https://github.com/user-attachments/assets/27e482fe-2a09-4dfb-8337-2e5070422183" />
## How To Test
- recent test data is in our stack for the 2 rules that have changes to their new terms values.
- test scripts for each:
- [trigger_privilege_escalation_iam_customer_managed_policy_attached_to_role.py](https://github.com/elastic/elastic-aws-ruleset-testing/blob/main/IAM/trigger_privilege_escalation_iam_customer_managed_policy_attached_to_role.py)
- [trigger_privilege_escalation_update_assume_role_policy.py](https://github.com/elastic/elastic-aws-ruleset-testing/blob/main/IAM/trigger_privilege_escalation_update_assume_role_policy.py)
* [Rule Tunings] AWS removal of target.entity.id and actor.entity.id fields
Related Issue : - https://github.com/elastic/security-team/issues/14019
`target.entity.id` and `related.entity.id` fields will soon be fully removed from the AWS Integration. This rule tuning replaces rule queries that relied on `target.entity.id` with the equivalent field `entity.target.id` which was introduced with AWS version 4.7.0 along with several new entity classification fields. This tuning also removes references to these fields in highlighted fields and investigation guides for several rules.
* update data for defense_evasion_route53_dns_query_resolver_config_deletion.toml
update data for defense_evasion_route53_dns_query_resolver_config_deletion.toml
* updated_dates
Completing the Deprecation process for these rules as they have been shipped at least 2 release cycles with "Deprecated - " prefix.
All have the following metadata changes
maturity = "deprecated"
updated_date = "2026/01/16"
deprecation_date = "2026/01/16"
- Removing the genAI disclaimer for the AWS ruleset Investigation guides which were all manually modified during the most recent audit.
- Removing any numbering in the investigation guides to maintain better consistency across guides
- Fixed any spacing inconsistencies
* Docs: improve WinRAR/7-Zip encrypted archive rule guidance
Clarifies the rule description and expands investigation and false positive guidance
to help analysts distinguish data staging for exfiltration from common benign
administrative and backup workflows. No detection logic or query changes.
* Update rules/windows/collection_winrar_encryption.toml
* Change updated_date to 2026/01/12
Bump update_date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* [New] Multiple Alerts in Same ATT&CK Tactic by Host
This rule uses alert data to determine when multiple alerts in the same phase of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
* Update multiple_alerts_same_tactic_by_host.toml
* Update rules/cross-platform/multiple_alerts_same_tactic_by_host.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update non-ecs-schema.json
* Update multiple_alerts_same_tactic_by_host.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* [New] Multiple External EDR Alerts by Host
This rule uses alert data to determine when multiple external EDR alerts involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* [Tuning] SMB (Windows File Sharing) Activity to the Internet
converted to new term (history search window set to 5 days by destination.ip) to reduce alerts volume. https://github.com/elastic/detection-rules/issues/5490
* Update initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
* Update rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
* Update rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [New/Tuning] Several New Linux Rules
* Update collection_potential_video_recording_or_screenshot_activity.toml
* Update discovery_dmidecode_system_discovery.toml
* Update rules/linux/collection_potential_audio_recording_activity.toml
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Update exfiltration_potential_wget_data_exfiltration.toml
* [New Rule] Linux User or Group Deletion
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 3
* Update rules/linux/credential_access_aws_creds_search_inside_container.toml
* Adjust thresholds and expand event action handling
* Update credential_access_potential_linux_ssh_bruteforce_external.toml
* Increase threshold for SSH brute force detection
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update credential_access_ssh_backdoor_log.toml
Removed 'auditbeat-*' from the index list.
* Refactor credential access rule for clarity
Removed redundant event.action expansion and filtering logic.
* Refactor ESQL query for SSH brute force detection
Refactor ESQL query to improve readability and maintainability by moving the event.action expansion and filtering logic.
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update credential_access_potential_successful_linux_ftp_bruteforce.toml
* Update credential_access_potential_successful_linux_rdp_bruteforce.toml
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Add time window truncation to bruteforce rule
* Add time window truncation to SSH brute force rule
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update SSH brute force detection rule to EQL
* Update CIDR match conditions for SSH brute force rule
* Update EQL query for SSH brute force detection
* [Rule Tuning] Linux DR Tuning - 6
* Fix syntax error in discovery_esxi_software_via_grep.toml
* Update discovery_pam_version_discovery.toml
* Update discovery_virtual_machine_fingerprinting.toml
* Revise investigation title for kernel module enumeration
Updated the title of the investigation section to clarify focus on unusual kernel module enumeration.
* Update discovery_port_scanning_activity_from_compromised_host.toml
* Enhance ESQL query for subnet scanning detection
Updated ESQL query to include additional fields and conditions for better analysis of connection attempts from compromised hosts.
* Remove Elastic Endgame data source from rule
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Samirbous