security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,376 Commits 1 Branch 0 Tags
dev-v1.5.39
Commit Graph

237 Commits

Author SHA1 Message Date
Samirbous efd1756d49 Update impact_hosts_file_modified.toml (#5655) 2026-01-29 17:02:14 +00:00
Samirbous cee9f51b6d [New] Newly Observed Process Exhibiting CPU Spike (#5635) 
* [New] Newly Observed Process Exhibiting CPU Spike

This rule alerts on processes exhibiting CPU spike and that are observed for the first time in the previous 5 days. This behavior may indicate performance issues as well as potential suspicious software like cryptomining or exploit abusing system resources following compromise.

* Update impact_newly_observed_process_with_high_cpu.toml

* Update impact_newly_observed_process_with_high_cpu.toml

* Update impact_newly_observed_process_with_high_cpu.toml

* Update impact_newly_observed_process_with_high_cpu.toml

* Update rules/cross-platform/impact_newly_observed_process_with_high_cpu.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update impact_newly_observed_process_with_high_cpu.toml

* Update impact_newly_observed_process_with_high_cpu.toml

* Update impact_newly_observed_process_with_high_cpu.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-28 17:38:22 +00:00
shashank-elastic 3ee0a72a65 Add investigation guides (#5630) 2026-01-27 14:28:06 +05:30
Samirbous 42e7f3b4ce [New] Multiple Alerts on a Host Exhibiting CPU Spike (#5621) 
* [New] Multiple Alerts on a Host Exhibiting CPU Spike

This rule correlates multiple security alerts from a host exhibiting unusually high CPU utilization within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.

* Update multiple_alerts_on_host_with_cpu_spike.toml

* Rename multiple_alerts_on_host_with_cpu_spike.toml to impact_alerts_on_host_with_cpu_spike.toml

* Update impact_alerts_on_host_with_cpu_spike.toml

* Update rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update non-ecs-schema.json

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 20:42:20 +00:00
Samirbous 094f907144 [New] Detection Alert on a Process Exhibiting CPU Spike (#5617) 
* [New] Detection Alert on a Process Exhibiting CPU Spike

This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.

* Update securityt_alert_from_a_process_with_cpu_spike.toml

* Update securityt_alert_from_a_process_with_cpu_spike.toml

* Update rules/cross-platform/securityt_alert_from_a_process_with_cpu_spike.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Rename securityt_alert_from_a_process_with_cpu_spike.toml to security_alert_from_a_process_with_cpu_spike.toml

* Update security_alert_from_a_process_with_cpu_spike.toml

* Rename security_alert_from_a_process_with_cpu_spike.toml to impact_alert_from_a_process_with_cpu_spike.toml

* Update impact_alert_from_a_process_with_cpu_spike.toml

* Update non-ecs-schema.json

* Update rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2026-01-26 17:42:31 +00:00
Samirbous 6d9eef48b0 [New] Multiple Vulnerabilities by Asset via Wiz (#5598) 
* [New] Wiz - Multiple Vulnerabilities by Container

* Update multiple_vulnerabilities_wiz_by_container.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* add wiz manif and schema

* Update multiple_vulnerabilities_wiz_by_container.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* Update pyproject.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* ++

* Update external_alerts.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* Delete detection_rules/etc/integration-manifests.json.gz

* Revert "add wiz manif and schema"

This reverts commit a1e9e7440dcb46ea2abebec834cfc0291e3b60ae.

* Revert "Update pyproject.toml"

This reverts commit 47ab9d2dc8239207126b8512006f353a3fd4affc.

* update manifest and schema for wiz
 2026-01-26 17:26:17 +00:00
Samirbous 88e0b14709 [Tuning] ESQL Dynamic unique value fields (#5569) 
* [Tuning] Extract dynamic field with 1 value to ECS fields for alerts exclusion

Extract dynamic field with 1 value to ECS fields for alerts exclusion:

Esql.host_id_values -> host.is
Esql.agent_id_values -> agent.id
Esql.host_name_values -> host.name

* Update multiple_alerts_by_host_ip_and_source_ip.toml

* Update newly_observed_elastic_defend_alert.toml

* Update defense_evasion_base64_decoding_activity.toml

* Update discovery_subnet_scanning_activity_from_compromised_host.toml

* Update persistence_web_server_sus_command_execution.toml

* Update persistence_web_server_sus_child_spawned.toml

* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/impact_potential_bruteforce_malware_infection.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_elastic_defend_alert.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_elastic_detection_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/credential_access_rare_webdav_destination.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update credential_access_rare_webdav_destination.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 16:34:16 +00:00
Samirbous edf28367e4 [New] Lateral Movement Alerts from a Newly Observed Entity (#5557) 
* [New] Lateral Movement Alerts from a Newly Observed Entity

High-order rules to prioritize lateral movement alerts triage (detects multiple lateral movement alerts from a source.ip or user.id that was observed for the first time in the previous 5 days).

* Update lateral_movement_multi_alerts_new_userid.toml

* Update lateral_movement_multi_alerts_new_srcip.toml

* Update lateral_movement_multi_alerts_new_userid.toml

* Update lateral_movement_multi_alerts_new_userid.toml

* Update lateral_movement_multi_alerts_new_userid.toml

* Update rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update lateral_movement_multi_alerts_new_userid.toml

* Update lateral_movement_multi_alerts_new_srcip.toml

* Update lateral_movement_multi_alerts_new_userid.toml

* Update lateral_movement_multi_alerts_new_userid.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 16:21:27 +00:00
Ruben Groenewoud c5b64c9fbf [New/Tuning] General API Abuse D4C/K8s Rules (#5591) 
* [New/Tuning] General API Abuse D4C/K8s Rules

* [New Rule] DNS Enumeration Detected via Defend for Containers

* [New Rule] Tool Enumeration Detected via Defend for Containers

* [New Rule] Tool Installation Detected via Defend for Containers

* Service Account File Reads

* [New Rule] Direct Interactive Kubernetes API Request Detected via Defend for Containers

* Rule name update

* [New Rules] D4C K8S MDA API Request Rules

* Add 'tor' to the list of allowed process args

* ++

* ++

* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update description

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 16:59:14 +01:00
Samirbous 3b6302a0c5 Update credential_access_multi_could_secrets_via_api.toml (#5618) 2026-01-26 15:21:18 +00:00
Samirbous 8b1764071b [New] Newly Observed Network Alert (#5585) 
* [New] Newly Observed High Severity Suricata Alert

* Update newly_observed_suricata_high_severity_alert.toml

* Update newly_observed_suricata_high_severity_alert.toml

* Update newly_observed_suricata_high_severity_alert.toml

* Update newly_observed_suricata_high_severity_alert.toml

* ++

* ++

* Update newly_observed_fortigate_alert.toml

* Update newly_observed_fortigate_alert.toml

* ++

* Update newly_observed_panos_alert.toml

* Update rules/cross-platform/newly_observed_fortigate_alert.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_suricata_alert.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update newly_observed_fortigate_alert.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-23 12:22:21 +00:00
Samirbous e2c8c7745d [Tuning] Suricata and Elastic Defend Network Correlation (#5583) 
* [Tuning] Suricata and Elastic Defend Network Correlation

Nessus is main source of noise.

* Update command_and_control_suricata_elastic_defend_c2.toml
 2026-01-23 12:02:25 +00:00
Samirbous 5c5185d227 [New] Potential SAP NetWeaver Exploitation rules (#4666) 
* [New] Potential SAP NetWeaver Exploitation

https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

* ++

* Update execution_sap_netweaver_jsp_webshell.toml

* Update execution_sap_netweaver_webshell_exec.toml

* Update rules/cross-platform/execution_sap_netweaver_webshell_exec.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update execution_sap_netweaver_jsp_webshell.toml

* Update execution_sap_netweaver_webshell_exec.toml

* Update execution_sap_netweaver_webshell_exec.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-22 12:58:02 -06:00
Mika Ayenson, PhD ab34f25e54 [New Rules] Ollama Detections (#5546) 2026-01-12 11:05:15 -06:00
Jonhnathan dd567e59de [Rule Deprecation] Agent Spoofing - Mismatched Agent ID (#5552) 
* [Rule Deprecation] Agent Spoofing - Mismatched Agent ID

* Update defense_evasion_agent_spoofing_mismatched_id.toml
 2026-01-12 13:44:13 -03:00
shashank-elastic 1ce072a4e5 Prep for Release 9.3 (#5548) 2026-01-12 21:07:07 +05:30
Samirbous 7c36743ce6 [New] Multiple Alerts in Same ATT&CK Tactic by Host (#5550) 
* [New] Multiple Alerts in Same ATT&CK Tactic by Host

This rule uses alert data to determine when multiple alerts in the same phase of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

* Update multiple_alerts_same_tactic_by_host.toml

* Update rules/cross-platform/multiple_alerts_same_tactic_by_host.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update non-ecs-schema.json

* Update multiple_alerts_same_tactic_by_host.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2026-01-12 14:19:51 +00:00
Samirbous 8bc4829432 [Tuning] Multiple Cloud Secrets Accessed by Source Address (#5549) 
* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml
 2026-01-12 11:44:31 +00:00
Samirbous 2d5d826be7 [New] Multiple External EDR Alerts by Host (#5540) 
* [New] Multiple External EDR Alerts by Host

This rule uses alert data to determine when multiple external EDR alerts involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml
 2026-01-09 15:51:51 +00:00
Mika Ayenson, PhD f123ffa0f8 [Rule Tuning] GenAI DR Tuning (#5506) 2026-01-09 08:23:03 -06:00
Samirbous b39cfc34e6 [New] First Time Seen Elastic Defend Behavior Alert (#5528) 
* [New] First Time Seen Elastic Defend Behavior Alert

This rule detects Elastic Defend behavior alerts that are observed for the first time today when compared against
the previous 7 days of alert history. It highlights low-volume, newly observed alerts tied to a specific detection rule on a single agent, which may indicate early-stage malicious activity or initial execution of suspicious behavior :

* Update first_time_seen_elastic_defend_alert.toml

* ++

* Update first_time_seen_elastic_defend_alert.toml

* ++

* Update fist_time_seen_elastic_detection_rule.toml

* Update fist_time_seen_elastic_detection_rule.toml

* Update rules/cross-platform/first_time_seen_elastic_defend_alert.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/fist_time_seen_elastic_detection_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/fist_time_seen_elastic_detection_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update fist_time_seen_elastic_detection_rule.toml

* Update first_time_seen_elastic_defend_alert.toml

* Update rules/cross-platform/first_time_seen_elastic_defend_alert.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/first_time_seen_elastic_defend_alert.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/fist_time_seen_elastic_detection_rule.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update first_time_seen_elastic_defend_alert.toml

* Update and rename fist_time_seen_elastic_detection_rule.toml to newly_observed_elastic_detection_rule.toml

* Rename first_time_seen_elastic_defend_alert.toml to newly_observed_elastic_defend_alert.toml

* Update newly_observed_elastic_defend_alert.toml

* Update newly_observed_elastic_detection_rule.toml

* Update newly_observed_elastic_defend_alert.toml

* Update newly_observed_elastic_detection_rule.toml

* Update newly_observed_elastic_defend_alert.toml

* Update newly_observed_elastic_detection_rule.toml

* Update newly_observed_elastic_detection_rule.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-09 10:34:32 +00:00
Samirbous 0165b97d30 [New] Suspected Lateral Movement from Compromised Host (#5521) 
* [New] Suspected Lateral Movement from Compromised Host

Detects potential lateral movement or post-compromise activity by correlating alerts where the host.ip of one alert matches the source.ip of a subsequent alert. This behavior may indicate a compromised host being used to authenticate to another system or resource, including cloud services.

* Update multiple_alerts_by_host_ip_and_source_ip.toml

* Update multiple_alerts_by_host_ip_and_source_ip.toml

* Update multiple_alerts_by_host_ip_and_source_ip.toml

* Update multiple_alerts_by_host_ip_and_source_ip.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-01-07 16:23:16 +00:00
Ruben Groenewoud 38e2e4766f [Rule Tuning] Linux DR BBR Tuning (#5514) 
* [Rule Tuning] Linux DR BBR Tuning

* Update discovery_getconf_execution.toml

* Fix typo in process.args for dscl command

* Update persistence_web_server_sus_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-01-07 16:52:40 +01:00
Ruben Groenewoud ca0f32f28e [Rule Tuning] Linux DR CP Tuning (#5512) 
* [Rule Tuning] Linux DR CP Tuning

* Update date bump

* Fix privilege escalation rule for teleport executable

* ++

* Revert "++"

This reverts commit 386dc909b89dfcbe21628585489605fd0206e3c2.

* Update rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-01-07 16:40:37 +01:00
Samirbous 74d6fe95c9 [New] Multiple Elastic Defend Alerts from Single Process Tree (#5522) 
* [New] Multiple Elastic Defend Alerts from Single Process Tree

Detects multiple Elastic Defend EDR alerts originating from the same process tree, indicating coordinated malicious activity. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

* Update multiple_alerts_edr_elastic_same_process_tree.toml

* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update multiple_alerts_edr_elastic_same_process_tree.toml

* Update multiple_alerts_edr_elastic_same_process_tree.toml

* Update multiple_alerts_edr_elastic_same_process_tree.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-02 15:13:25 +00:00
Samirbous c7adfd8b6d [Tuning] Elastic Defend and Network Security Alerts Correlation (#5518) 
* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml

* Update multiple_alerts_elastic_defend_netsecurity_by_host.toml
 2026-01-02 14:40:06 +00:00
Samirbous f337926c52 Update initial_access_execution_susp_react_serv_child.toml (#5503) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-01 15:27:33 -03:00
Jonhnathan b956a4350f [Rule Tuning] Multiple Alerts Involving a User (#5498) 
* [Rule Tuning] Multiple Alerts Involving a User

* Update multiple_alerts_involving_user.toml

* Update multiple_alerts_involving_user.toml

* Update non-ecs-schema.json

* ++

* Update multiple_alerts_involving_user.toml

* ++

* Update non-ecs-schema.json
 2025-12-19 12:57:25 -03:00
Samirbous 95cf506c9d [New] Suricata and Elastic Defend Network Correlation (#5443) 
* [New] Suricata and Elastic Defend - Command and Control Correlation

This detection correlates Suricata alerts and events with Elastic Defend network events to identify the source process
performing the network activity.

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

* Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_suricata_elastic_defend_c2.toml

* Update command_and_control_suricata_elastic_defend_c2.toml

* add suricata to schemas

* merge from main

* reset schemas

* Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-12-19 09:08:31 +00:00
Samirbous a1e40de4a5 [New] Alerts From Multiple Integrations by Entity (#5460) 
* [New] Alerts From Multiple Integrations by Entity IP

Higher-Order Rules that trigger on different integrations with different event.category (e.g. authentication with endpoint, email with network etc.) for the same entity (user, IP) in an interval of 4 hours. rule is set to run every 1h.

- Alerts From Multiple Integrations by Source Address
- Alerts From Multiple Integrations by Destination IP
- Alerts From Multiple Integrations by User Name

* ++

* ++

* ++

* ++

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update multiple_alerts_from_different_modules_by_dstip.toml

* Update multiple_alerts_from_different_modules_by_dstip.toml

* Update multiple_alerts_from_different_modules_by_srcip.toml

* Update multiple_alerts_from_different_modules_by_user.toml

* Update multiple_alerts_from_different_modules_by_dstip.toml

* Update multiple_alerts_from_different_modules_by_srcip.toml

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_from_different_modules_by_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update multiple_alerts_from_different_modules_by_dstip.toml

* Update multiple_alerts_from_different_modules_by_srcip.toml

* Update multiple_alerts_from_different_modules_by_user.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-12-18 18:04:58 +00:00
Samirbous b996a29451 [Tuning] Diverse Rules Tuning (#5482) 
* [Tuning] Diverse Rules Tuning

* Update persistence_shell_profile_modification.toml

* Update defense_evasion_ml_suspicious_windows_event_low_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* ++

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update credential_access_potential_linux_ssh_bruteforce_internal.toml

* Update persistence_shell_profile_modification.toml

* Revert "Update credential_access_potential_linux_ssh_bruteforce_internal.toml"

This reverts commit bad889a30d3f4a028de2b6624307f75b279a205b.

* Update persistence_web_server_sus_destination_port.toml

* Update defense_evasion_ml_suspicious_windows_event_high_probability.toml

* Update defense_evasion_ml_suspicious_windows_event_low_probability.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-18 15:30:12 +00:00
Samirbous 6ac69db7ba [Tuning] Elastic Defend and Email Alerts Correlation (#5459) 
* [Tuning] Elastic Defend and Email Alerts Correlation

this rule uses the logs-* generic index, which causes failures on clusters without an email related integration with `destination.user.name` populated.  for now limiting the rule to checkpoint email security and we can add more or users can customize it by adding more indexes.

* add checkpoint_email manifest and schema

* Update pyproject.toml

* Update multiple_alerts_email_elastic_defend_correlation.toml
 2025-12-15 15:33:10 +00:00
Samirbous a6548d9773 Update defense_evasion_agent_spoofing_multiple_hosts.toml (#5446) 2025-12-12 17:47:11 +00:00
Samirbous 3726611b93 [Tuning] Top Noisy Rules (#5449) 
* [Tuning] Windows BruteForce Rules Tuning

#1 Multiple Logon Failure from the same Source Address: converted to ES|QL and raised the threshold to 100 failed auths, alert quality should be better since it aggregates all failed auths info into one alert vs multiple EQL matches. (expected reduction more than 50%)

#2 Privileged Account Brute Force - coverted to ESQL and set the threshold to 50 in a minute. this should drop noise volume by more than 50%.

* ++

* Update execution_shell_evasion_linux_binary.toml

* Update execution_shell_evasion_linux_binary.toml

* Update defense_evasion_indirect_exec_forfiles.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update lateral_movement_remote_file_copy_hidden_share.toml

* Update persistence_service_windows_service_winlog.toml

* Update credential_access_lsass_openprocess_api.toml

* Update persistence_suspicious_scheduled_task_runtime.toml

* Update impact_hosts_file_modified.toml

* Update defense_evasion_process_termination_followed_by_deletion.toml

* Update rules/windows/credential_access_lsass_openprocess_api.toml

* Update rules/windows/credential_access_bruteforce_admin_account.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update credential_access_lsass_openprocess_api.toml

* Update impact_hosts_file_modified.toml

* Update credential_access_dollar_account_relay.toml

* Update credential_access_new_terms_secretsmanager_getsecretvalue.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-12 14:28:12 +00:00
Samirbous fcb6c3c433 [Tuning] Suspicious React Server Child Process (#5447) 
* Update initial_access_execution_susp_react_serv_child.toml

* Update initial_access_execution_susp_react_serv_child.toml
 2025-12-12 10:40:23 +00:00
Terrance DeJesus cabf1c2a02 [Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172) 
* Tuning azure and m365 rule names and file paths

* addressing unit test failures

* addressing unit test failures

* Changed Frontdoor to Front Door

* removed extra space in name

* adjusted Microsoft 365 to M365 in rule name

* Update rules/integrations/azure/credential_access_storage_account_key_regenerated.toml

* Update rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml

* Update rules/integrations/azure/execution_automation_runbook_created_or_modified.toml

* Update rules/integrations/azure/persistence_automation_account_created.toml

* Update rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml

* Update rules/integrations/azure/persistence_automation_webhook_created.toml

* Update rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml

* Update rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml

* Update rules/integrations/azure/persistence_event_hub_created_or_updated.toml

* Update rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml

* Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* fixed additional rule names

* Update rule dates and investigation guide headers

- Set updated_date to 2025/12/10 for all modified rules
- Fix investigation guide headers to match actual rule names
- Ensures compliance with test_rule_change_has_updated_date
- Ensures compliance with test_investigation_guide_uses_rule_name

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* changed kibana alert rule name to rule ID

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
 2025-12-10 12:59:50 -05:00
Jonhnathan 7a54ae33a5 [Rule Tuning] Add Missing Metadata to KEEP conditions (#5442) 
* [Rule Tuning] Add Missing Metadata to KEEP conditions

* Add them all

* ++

* date bump

* Update rules_building_block/discovery_ec2_multi_region_describe_instances.toml
 2025-12-09 17:05:20 -08:00
shashank-elastic 58a514340b December Schema Refresh (#5420) 2025-12-08 22:07:46 +05:30
Ruben Groenewoud 7aacebba02 [Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration (#5421) 2025-12-08 18:54:23 +05:30
Ruben Groenewoud bd9b1f222d [Rule Tuning] Suspicious React Server Child Process (#5419) 2025-12-08 12:50:41 +01:00
Terrance DeJesus cea2f43732 [New Rule] AWS EC2 LOLBin Execution via SSM (#5354) 
* [New Rule] AWS EC2 LOLBin Execution via SSM
Fixes #5353

* updated from command

* removed high order tag

* adjusted query logic

* updated reference

* add ESQL_priv. to keep

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

* cleaned up comments

* updating query logic to use coalesce

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* added SSM tag

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-12-05 16:14:33 -05:00
Mika Ayenson, PhD f40a383b7e [New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 12:26:56 -06:00
Ruben Groenewoud 72a2b44db1 [Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413) 
* [Rule Tuning] Interval fix + Datastream values to ESQL Rules

* Update persistence_web_server_potential_command_injection.toml
 2025-12-05 16:42:52 +01:00
Samirbous f427735610 [Tuning] Suspicious React Child Process (#5414) 
* Update initial_access_execution_susp_react_serv_child.toml

* Update initial_access_execution_susp_react_serv_child.toml

* Enhance EQL query for process execution detection

* Update initial_access_execution_susp_react_serv_child.toml

* Update initial_access_execution_susp_react_serv_child.toml

* Update rules/cross-platform/initial_access_execution_susp_react_serv_child.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 11:26:48 +00:00
Ruben Groenewoud e1166652c4 [New Rule] Web Server Potential Remote File Inclusion Activity (#5394) 
* [New Rule] Web Server Potential Remote File Inclusion Activity

* Add min_stack_version and comments to TOML file

Added minimum stack version and comments for clarity.

* Update rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Add data_stream.namespace to event stats

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-12-05 09:57:56 +01:00
Ruben Groenewoud 4920e9a60f [New Rule] Web Server Local File Inclusion Activity (#5393) 
* [New Rule] Web Server Local File Inclusion Activity

* Update discovery_web_server_local_file_inclusion_activity.toml

* Update discovery_web_server_local_file_inclusion_activity.toml

* Update discovery_web_server_local_file_inclusion_activity.toml

* Update rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Add data_stream.namespace to event statistics

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-12-05 09:47:29 +01:00
Samirbous 36baf8c898 [New] Suspicious React Server Child Process (#5407) 
* [New] Suspicious React Server Child Process

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

* Update initial_access_execution_susp_react_serv_child.toml
 2025-12-04 21:32:20 +00:00
Samirbous 166da45561 [New] Multiple Cloud Secrets Accessed by Source Address (#5388) 
* [New] Multiple Cloud Secrets Accessed by Source Address

This rule detects authenticated sessions accessing secret stores across multiple cloud providers from the same source
address within a short period of time. Adversaries with access to compromised credentials or session tokens may attempt
to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault in rapid
succession to expand their access or exfiltrate sensitive information.

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-12-04 18:04:25 +00:00
Ruben Groenewoud efef99befd [New Rule] Potential HTTP Downgrade Attack (#5372) 
* [New Rule] Potential HTTP Downgrade Attack

* Update defense_evasion_potential_http_downgrade_attack.toml
 2025-12-04 16:23:38 +01:00
Ruben Groenewoud f42b5143a6 [New Rule] Initial Access via File Upload Followed by GET Request (#5371) 
* [New Rule] Initial Access via File Upload Followed by GET Request

* Slightly increase timespan

* ++

* Update rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-12-04 16:10:13 +01:00