d946bb36b7
[New] Elastic Defend and Network Security Alerts Correlation ( #5332 )
...
* [New] Elastic Defend and NG-Firewall Alerts Correlation
This rule correlate any Elastic Defend alert with a set of suspicious events from Next-Gen Firewall like PAN and Fortigate by host.ip. This may indicate that this host is compromised and triggering multi-datasource alerts.
* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml
* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml
* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml
* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml
* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml
* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml
* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml
* Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml
* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml
* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml
* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml
* Add suricata and fortinet_fortigate
* ++
* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml
* Update pyproject.toml
* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-11-24 22:15:15 +05:30
7fe3831078
[New] SOCKS Traffic from an Unusual Process ( #5324 )
...
* [New] SOCKS Traffic from an Unusual Process
This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
or act as an intermediary for network communications to a command and control server to avoid direct connections to their
infrastructure.
* Update command_and_control_socks_fortigate_endpoint.toml
* Update command_and_control_socks_fortigate_endpoint.toml
* Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
* Update command_and_control_socks_fortigate_endpoint.toml
* add fortinet schema and manif
* Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update pyproject.toml
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-11-24 13:18:30 +00:00
5db396f084
Skip unit test for protected prebuilt-rules on DAC env ( #5323 )
2025-11-17 21:41:46 +05:30
79607723df
Renovate Updates ( #5258 )
2025-11-17 20:22:11 +05:30
a2bf7f088d
[Security Content] Windows Setup Guides - WinEventLog & Sysmon ( #5162 )
...
* [Security Content] Windows Setup Guides
* Move it to the right folder
* Fix link
* test
* ++
* ++
* ++
* ++
* ++
* ++
* ++
* ++
* Fix links
* ++
* ++
* Update pyproject.toml
* Update docs/audit_policies/windows/sysmon_eventid1_process_creation.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
* Update docs/audit_policies/windows/audit_powershell_scriptblock.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
* Update pyproject.toml
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2025-11-14 09:22:31 -08:00
8b74ba7136
[Rule Tuning] Remove host.os.type Unit Test Exception ( #5317 )
2025-11-14 08:46:24 -08:00
033145adf4
[Bug] Add synthetic properties check to remote ESQL validation ( #5308 )
...
* Add synthetic properties check
* Add additional unit test for schema conflicts
2025-11-13 15:25:42 -05:00
29d4aeb37a
[Bug] [DAC] Auto Gen Schema Fails on Certain Subqueries ( #5256 )
...
* Add alignment checking for sub-queries
* Allow field to be over written with original field
* Update rule prompt to allow for int 0 values
* Support custom schema index overwrite
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-11-12 11:21:53 -05:00
32fb003781
Lock versions for releases: 8.19,9.0,9.1,9.2 ( #5300 )
2025-11-11 18:58:05 +05:30
e938ecf41a
Refresh Manifest and Schemas November Update ( #5298 )
2025-11-11 18:04:20 +05:30
7604c20d9e
[FR] Add ESQL rules to dataset exception ( #5249 )
...
* Add ESQL rules to dataset exception
* Add unit test
2025-10-27 11:03:48 -04:00
9345e0ec27
Add unit test for protected prebuilt-rules ( #5242 )
2025-10-24 19:15:52 +05:30
566242772f
Remove toml filtering for branches ( #5243 )
2025-10-23 12:53:15 -04:00
b9b8e24514
Lock versions for releases: 8.19,9.0,9.1,9.2 ( #5234 )
2025-10-17 22:10:05 +05:30
818978975d
Prep 9.2 ( #5231 )
2025-10-17 21:01:13 +05:30
c7246313f7
feat: ESQL query validation against Elastic cluster ( #4955 )
...
* Add remote ESQL validation
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-10-15 15:17:07 -04:00
a5c100a65b
[Bug] Add unit tests and fix Alert Suppression schema validation for ThresholdQueryRuleData ( #5196 )
...
* Add schema validation for AlertSuppressionMapping
* Add support for indicator match alert suppression
* Add unit tests
* Update order and remove validates_schema method
* Add comments
* Add test for query rule duration only
2025-10-09 16:21:21 -04:00
ebb7bb5bce
Update Package Category ( #5192 )
2025-10-08 19:26:11 +05:30
49637fbfc7
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #5188 )
2025-10-06 22:14:15 +05:30
3397b7e707
Monthly Schema Updates ( #5187 )
2025-10-06 21:39:14 +05:30
7410ec7db9
[Rule Tuning] Updated ESQL Rules Based on Validation Results ( #5151 )
...
* Updated ESQL rules based on validation results
* Patch bump
* Updated regex patterns
* added missing azure fields to non-ecs-schema.json; adjusted okta query logic to use LIKE instead of RLIKE
* fixed incorrect field in non-ecs-schema.json; changed logs-azure.signinlogs* sightings to logs-azure.signinlogs-*
* Add and
* Additional non-ecs fields
* Add EOF
* Add kibana.alert.rule.name
* removed azure.platforlogs.identity.claim.objectid; updated query for 'c07f7898-5dc3-11f0-9f27-f661ea17fbcd'
* Field removed from query removing from keep
* Patch Bump
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-09-30 00:36:29 -04:00
42be8bc8ba
[Bug] Add Required to the Annotation ( #5159 )
...
* Add Required to the Annotation
* Additional required fields
* remove nonempty sting validation
* Required Types via Annotated and Dataclass
* remove space
* Remove inline comment
* Switch to getting a list
* Fix typo and sort
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-09-29 18:30:50 -04:00
e147188939
Add SIEM package category ( #5128 )
2025-09-18 19:15:53 +05:30
80c01cf665
[Bug] Annotated Fields Ignored ( #5125 )
...
* Add Note for stop gap
2025-09-17 17:34:42 -04:00
8f79d58f3f
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #5123 )
2025-09-16 19:56:59 +05:30
99ebad576b
Added handling for unauth error ( #5115 )
2025-09-16 18:25:10 +05:30
b2b9d677c7
[Bug] Github Gist API Now Requires Auth ( #5119 )
...
* Add headers to public call
2025-09-16 08:18:48 -04:00
39b6f19eb9
Pin dependencies ( #5086 )
...
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2025-09-12 22:46:24 +05:30
f0f7d217c0
[FR] Refactor Schema Validation & Support Multi-Dataset Sequence Validation ( #5059 )
2025-09-10 13:11:04 -05:00
6adee51410
Fix Ruff failures ( #5083 )
2025-09-10 22:24:07 +05:30
a6dfd2c0e1
Add test_min_stack_version_supported testcase ( #5077 )
2025-09-10 20:12:36 +05:30
35b000b7ab
[FR] Add negate DOES NOT MATCH capability to IM rule type (>=9.2) ( #5041 )
2025-09-09 10:58:53 -05:00
cbb892b4bc
[Bug] Incorrect Integrations Schema Parsing for Nested Fields ( #5058 )
...
* Add proper handling for nested fields
* Updated schemas
* bump patch
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-09-04 14:12:33 -04:00
3c1de72f6b
[FR] Add support for 5 group_by fields in threshold rules (>=9.2) ( #5040 )
2025-09-04 09:24:36 -05:00
f2291e0261
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #5049 )
2025-09-01 23:19:12 +05:30
93ac471574
Monthly Schema Updates ( #5046 )
2025-09-01 20:42:42 +05:30
ee70674e2c
Add all rule types DaC testing ( #4969 )
2025-08-20 19:04:57 +05:30
dde448ee6b
[Bug] Rule Toml Write Formatting Wrongly Formats \\\\x ( #4978 )
...
* Fix rule and mitigate py toml
* Bump patch version
* Add reference to issue
* Add unit test for path issues
* Update comment
* Certain strings were not properly escaped
* Updated to use json instead of repr
* replace _old_dump_str with json.dumps
* Bump Version
2025-08-18 17:03:51 -04:00
fb76ec1b2d
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #4991 )
2025-08-18 22:36:37 +05:30
154283f457
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #4963 )
2025-08-06 08:58:16 +05:30
a726da5e83
[Bug] [DAC] Custom Rules Filter Discrepancy on Stacks Upgraded to 8.18 ( #4945 )
...
* Update Custom Rules KQL
* Bump Patch Version
* Update detection_rules/kbwrap.py
Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com >
* Use or instead of and
* Bump patch version
* Fix results len typo
---------
Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com >
2025-08-05 09:42:25 -04:00
c210a88b1f
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #4960 )
2025-08-04 22:37:59 +05:30
2c2b15368c
Update latest integration manifests and schema and investigation guides ( #4957 )
2025-08-04 19:30:01 +05:30
ff46a7ab4a
fix: Allow different order of the metadata fields in ESQL queries ( #4956 )
...
* Initial commit
* Python project version bump
2025-08-02 02:26:39 +02:00
a9ad66935c
[FR] [DAC] Add Arbitrary File location Support for Local Creation Date ( #4915 )
...
* Add support for local file contents
* Update Rule Params
* Update CLI docs
* Update to Pathlib
* Format updating
* Delete duplicate
* Update logic to handle just local_contents path
* Update to Glob Based Approach
* Updated to use RawRuleCollection
* Fix Logging Typo
* New utils functions no longer needed
* Update naming for convention
2025-07-31 14:35:00 -04:00
bf3071d3d1
[FR] Add white space checking for KQL parse ( #3789 )
...
* Add whitespace checking for KQL parse
* Add unit test for blank space check
* Bump patch version
* Add test cases for newline blank space
* Add additional unit tests
* Update to only walk tree once
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2025-07-31 14:23:53 -04:00
1dc3926203
[New Rules] External Promotion Alerts ( #4903 )
2025-07-31 11:00:50 -05:00
f2fac1bc48
[FR] [DAC] Add existing mitre threat information on import ( #4948 )
2025-07-31 09:44:09 -05:00
f348e92f06
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #4926 )
2025-07-22 21:19:44 +05:30
0cb1e596b3
[Bug] [DAC] Kibana Export Rules Rule Name Filter Exports All Rules ( #4917 )
...
* Add check for not rule_id
2025-07-22 11:32:17 -04:00
Samirbous