* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [Rule Tuning] Dormant & Deprecated Rule Clean-Up
* [Rule Tuning] Dormant & Deprecated Rule Clean-Up
* Few more deprecations
* ++
* Update unit test syntax fix
* Update bad bytes
* ++
* [New] Multiple Machine Learning Alerts by Influencer Field
This rule uses alerts data to determine when multiple different machine learning alerts involving the same influencer field are triggered. Analysts can use this to prioritize triage and response, as these entities are more likely to be more suspicious.
* Update multiple_machine_learning_jobs_by_entity.toml
* Update multiple_machine_learning_jobs_by_entity.toml
* Update non-ecs-schema.json
* Update multiple_machine_learning_jobs_by_entity.toml
* Update non-ecs-schema.json
* [New] Newly Observed Process Exhibiting CPU Spike
This rule alerts on processes exhibiting CPU spike and that are observed for the first time in the previous 5 days. This behavior may indicate performance issues as well as potential suspicious software like cryptomining or exploit abusing system resources following compromise.
* Update impact_newly_observed_process_with_high_cpu.toml
* Update impact_newly_observed_process_with_high_cpu.toml
* Update impact_newly_observed_process_with_high_cpu.toml
* Update impact_newly_observed_process_with_high_cpu.toml
* Update rules/cross-platform/impact_newly_observed_process_with_high_cpu.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update impact_newly_observed_process_with_high_cpu.toml
* Update impact_newly_observed_process_with_high_cpu.toml
* Update impact_newly_observed_process_with_high_cpu.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* [New] Multiple Alerts on a Host Exhibiting CPU Spike
This rule correlates multiple security alerts from a host exhibiting unusually high CPU utilization within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.
* Update multiple_alerts_on_host_with_cpu_spike.toml
* Rename multiple_alerts_on_host_with_cpu_spike.toml to impact_alerts_on_host_with_cpu_spike.toml
* Update impact_alerts_on_host_with_cpu_spike.toml
* Update rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* Update non-ecs-schema.json
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [New] Detection Alert on a Process Exhibiting CPU Spike
This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.
* Update securityt_alert_from_a_process_with_cpu_spike.toml
* Update securityt_alert_from_a_process_with_cpu_spike.toml
* Update rules/cross-platform/securityt_alert_from_a_process_with_cpu_spike.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* Rename securityt_alert_from_a_process_with_cpu_spike.toml to security_alert_from_a_process_with_cpu_spike.toml
* Update security_alert_from_a_process_with_cpu_spike.toml
* Rename security_alert_from_a_process_with_cpu_spike.toml to impact_alert_from_a_process_with_cpu_spike.toml
* Update impact_alert_from_a_process_with_cpu_spike.toml
* Update non-ecs-schema.json
* Update rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* [Tuning] Suricata and Elastic Defend Network Correlation
Nessus is main source of noise.
* Update command_and_control_suricata_elastic_defend_c2.toml
* [New] Multiple Alerts in Same ATT&CK Tactic by Host
This rule uses alert data to determine when multiple alerts in the same phase of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
* Update multiple_alerts_same_tactic_by_host.toml
* Update rules/cross-platform/multiple_alerts_same_tactic_by_host.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update non-ecs-schema.json
* Update multiple_alerts_same_tactic_by_host.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* [New] Multiple External EDR Alerts by Host
This rule uses alert data to determine when multiple external EDR alerts involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* Update multiple_external_edr_alerts_by_host.toml
* [New] Suspected Lateral Movement from Compromised Host
Detects potential lateral movement or post-compromise activity by correlating alerts where the host.ip of one alert matches the source.ip of a subsequent alert. This behavior may indicate a compromised host being used to authenticate to another system or resource, including cloud services.
* Update multiple_alerts_by_host_ip_and_source_ip.toml
* Update multiple_alerts_by_host_ip_and_source_ip.toml
* Update multiple_alerts_by_host_ip_and_source_ip.toml
* Update multiple_alerts_by_host_ip_and_source_ip.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [New] Multiple Elastic Defend Alerts from Single Process Tree
Detects multiple Elastic Defend EDR alerts originating from the same process tree, indicating coordinated malicious activity. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
* Update multiple_alerts_edr_elastic_same_process_tree.toml
* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update multiple_alerts_edr_elastic_same_process_tree.toml
* Update multiple_alerts_edr_elastic_same_process_tree.toml
* Update multiple_alerts_edr_elastic_same_process_tree.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* [Tuning] Elastic Defend and Email Alerts Correlation
this rule uses the logs-* generic index, which causes failures on clusters without an email related integration with `destination.user.name` populated. for now limiting the rule to checkpoint email security and we can add more or users can customize it by adding more indexes.
* add checkpoint_email manifest and schema
* Update pyproject.toml
* Update multiple_alerts_email_elastic_defend_correlation.toml
* [Tuning] Windows BruteForce Rules Tuning
#1 Multiple Logon Failure from the same Source Address: converted to ES|QL and raised the threshold to 100 failed auths, alert quality should be better since it aggregates all failed auths info into one alert vs multiple EQL matches. (expected reduction more than 50%)
#2 Privileged Account Brute Force - coverted to ESQL and set the threshold to 50 in a minute. this should drop noise volume by more than 50%.
* ++
* Update execution_shell_evasion_linux_binary.toml
* Update execution_shell_evasion_linux_binary.toml
* Update defense_evasion_indirect_exec_forfiles.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update persistence_service_windows_service_winlog.toml
* Update credential_access_lsass_openprocess_api.toml
* Update persistence_suspicious_scheduled_task_runtime.toml
* Update impact_hosts_file_modified.toml
* Update defense_evasion_process_termination_followed_by_deletion.toml
* Update rules/windows/credential_access_lsass_openprocess_api.toml
* Update rules/windows/credential_access_bruteforce_admin_account.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update credential_access_lsass_openprocess_api.toml
* Update impact_hosts_file_modified.toml
* Update credential_access_dollar_account_relay.toml
* Update credential_access_new_terms_secretsmanager_getsecretvalue.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Ruben Groenewoud