70d7f2b6b1
Monthly Manifest and Schema Updation ( #5697 )
2026-02-10 09:17:04 +05:30
229f3adf75
[New/Tuning] Misc. New D4C Rules and Tunings ( #5692 )
...
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [New/Tuning] Misc. New D4C Rules and Tunings
* Added IGs for High Severity Rules
* Apply suggestion from @Aegrah
* ++
* Update discovery_privilege_boundary_enumeration_from_interactive_process.toml
* ++
* Update rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_interactive_file_creation_followed_by_execution.toml
* Some updates based on feedback
* Rule name changes
* ++
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2026-02-09 16:58:27 +01:00
2b5472a9b3
[Tuning/New] Solarwinds Post Exploit ( #5696 )
...
* [Tuning/New] Solawrwinds Post Exploit
https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399
- new rule for tunneling using QEMU
- added few websvc domains .cloud.es.io, files.catbox.moe and supabase.co
- added javaw to the solarwinds rule
- added ZOHO and Velociraptor to the new term RMM rule.
* Update initial_access_potential_webhelpdesk_exploit.toml
* Update rules/windows/command_and_control_common_webservices.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* ++
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2026-02-09 13:57:52 +00:00
793d79b063
[New Rule] AWS EC2 Serial Console Access Enabled ( #5687 )
...
* [New Rule] AWS EC2 Serial Console Access Enabled
Detects when an adversary enables the EC2 Serial Console feature at the AWS account level. This technique was documented by Permiso in their LUCR-3 Scattered Spider research as a defense evasion method that provides out-of-band access to EC2 instances, completely bypassing network-based security monitoring, VPCs, and security groups. Enabling serial console access is extremely rare in production environments, making this a high-signal detection with minimal false positive risk. I've tested this query against alert and prod telemetry and found rare instances.
Existing Related Coverage: We already detect `SendSerialConsoleSSHPublicKey` via lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml, which catches the usage of serial console. This new rule closes the gap by detecting the enablement of serial console access, the prerequisite step that must occur before an attacker can leverage this out-of-band channel.
* raising severity and risk score
2026-02-06 17:34:55 -05:00
ac6ead4346
[Rule Tuning] Update LLM Verdict for COMPLETION Rules
2026-02-06 11:25:22 -06:00
43d3f3b467
[New] Endpoint Rule Conversion PR ( #5658 )
...
* update
* [New] Endpoint Rule Conversion PR
* fix: replace invalid rule_ids with valid UUIDs
* fix: remove malformed TOML in docker_outbound_connection rule
* fix: rename Security Software Discovery rule to avoid name collision
* fix: remove rule using unsupported 'as event' alias syntax
* fix: add timestamp_override, investigation guides, and fix MITRE mapping
- Added timestamp_override = 'event.ingested' to 15 non-sequence EQL rules
- Added '## Triage and analysis' investigation guides to 19 high-severity rules
- Fixed T1176 technique name from 'Browser Extensions' to 'Software Extensions'
* Enhance investigation guides for 19 high-severity macOS SIEM rules
Enhanced investigation guides to align with existing SIEM rule format:
- Added detailed context paragraphs explaining the threat and detection logic
- Expanded investigation steps to 6-7 items with specific field references
- Enhanced false positive analysis with 4-5 items and exclusion guidance
- Added comprehensive response and remediation steps (6-7 items)
Rules enhanced:
- Defense Evasion: dylib_injection, gatekeeper_override, tcc_access
- Persistence: shell_profile, hidden_plist, chromium_extension, startup_item,
pkg_install_script, launch_agent_daemon
- Execution: unusual_library_python
- Lateral Movement: jamf_endpoint
- Command and Control: google_calendar_c2, oast_domain, etherhiding,
curl_from_app, curl_google_script, unsigned_binary
- Collection: pbpaste, sensitive_file_compression
* Fix investigation guide tests: add Resources tag and fix OAST title
- Added 'Resources: Investigation Guide' tag to all 19 rules with investigation guides
- Fixed OAST rule investigation guide title to match rule name exactly:
'Network Connection to OAST Domain via Script Interpreter'
* Remove duplicate detection_rules 2 folder from PR
* Address Samir's PR feedback: consolidate rules, convert to ES|QL, fix Gatekeeper rule
Changes:
- Convert AWS S3 connection rule to ES|QL with aggregation
- Consolidate Python + Node non-standard port rules into single script interpreter rule
- Fix Gatekeeper rule to use correct gatekeeper_override event
- Simplify Gatekeeper rule to single event per Samir's suggestion
- Convert TCC access rule to ES|QL with COUNT_DISTINCT
- Tune cross-platform security software grep rule (add egrep, pgrep, more tools)
- Add node to system/network config check rule
Deleted duplicates (covered by existing cross-platform rules):
- Docker suspicious TLD rule (covered by unusual_connection_to_suspicious_top_level_domain)
- Security software via grep (tuned cross-platform version instead)
- VM fingerprinting via grep (duplicate of cross-platform version)
* fix: ESQL formatting and wildcard versioning patterns
- Add Esql. prefix to computed fields in ESQL rules
- Add KEEP statements to ESQL rules for proper field visibility
- Add perl* wildcard to OAST domain rule for version consistency
- Add ruby* wildcard to Etherhiding C2 rule for version consistency
- Fix regex pattern in TCC rule (perl.*/ruby.* for versioning)
* fix: remove duplicate Script Interpreter rule
Delete command_and_control_suspicious_outbound_python_network.toml which
is an exact duplicate of command_and_control_script_interpreter_connection_to_non_standard_port.toml
(same rule_id: aa1e007a-2997-4247-b048-dd9344742560)
* fix: add timestamp_override to Pbpaste and Gatekeeper rules
- collection_pbpaste_execution_via_unusual_parent.toml
- defense_evasion_gatekeeper_override_and_execution.toml
EQL/KQL rules require timestamp_override: event.ingested
* fix: remove perl from Script Interpreter rule
Perl is covered by the broader perl_outbound_network_connection rule which
catches perl → any external IP (not just non-standard ports). Perl network
connections on macOS are rare and inherently suspicious regardless of port.
* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/defense_evasion_suspicious_tcc_access_granted.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/persistence_manual_chromium_extension_loading.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/persistence_startup_item_plist_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix ESQL syntax error in AWS S3 connection rule
Remove trailing comma before BY clause in STATS command that caused a parsing_exception.
Co-authored-by: Cursor <cursoragent@cursor.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-02-06 10:53:44 -06:00
440ff43810
[Rule Tuning] Adding D4C Compatibility to Compatible Container-Related Rules ( #5685 )
...
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [Rule Tuning] Adding D4C Compatibility to Compatible Container-Related Rules
2026-02-06 09:38:56 +01:00
1c59a6adde
[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded ( #5657 )
...
* [Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded
This rule was very loud in telemetry since it's last tuning. ~8,938 alerts in last 24 hours. All false positives due to regex pattern matches for file names like `enc` as part of /filetransfertmsadherence/ and absence/; `lock` as part of citations-blocks/.
I've reworked this rule based on more research into common ransom note file name keywords and replaced the list here with the most common keywords. For `file` (the most common) and `back`, I was still seeing false positives so decided to alert on a combination of either or these 2 words in conjunction with any of the other words from the list. I also changed the regex to be case-insensitive.
With this new query, I see only true positive results within the last year all from known testing events.
I changed the toml file name so the rule looks new but it is just tuned.
I've updated the description and investigation guide, and added the study I used as a reference: https://www.mdpi.com/2073-431X/10/11/145#computers-10-00145-f002
Test data is in our stack, script for executing is here:
Screenshot of new working query in our test stack
* Apply suggestions from code review
* removing redundany regex pattern
2026-02-05 21:34:38 -05:00
64cca9e1ba
[Rule Tuning] Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score ( #5523 ) ( #5686 )
...
Add EQL exclusions for benign activity:
Opera GX renderer children,
Slack creating slack children,
Node using playwright to create chrome process
Python editors accessing reg.exe
Logitech manager activity
and Zabbix script paths.
2026-02-05 15:54:26 -05:00
80968035bb
MacOS detection rules tuning ( #5667 )
...
* Sync macOS detection rules with endpoint-rules logic
- Fix Bifrost Kerberos query logic (broken parentheses grouping)
- Add authenticate pattern and NinjaRMM exclusion to osascript phishing rule
- Update SCP privacy bypass to use 127.0.0.? loopback pattern
- Add wildcard EndpointSecurity pattern to kext unload rule
* Fix Safari settings rule to use targeted approach
- Change from broad catch-all with exclusions to targeted dangerous settings
- Only detect IncludeDevelopMenu and JavaScript setting changes
- Reduces false positives from benign Safari preference changes
* Add Parallels Desktop exclusion to Hosts File Modified rule
- Excludes /Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd (5,074 alerts in 90 days)
2026-02-05 11:20:16 -06:00
64a08cd6af
[New Rules] Misc. K8s RBAC Abuse Rules ( #5673 )
...
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [New Rules] Misc. K8s RBAC Abuse Rules
* --
* Update non-ecs-schema
* Update to make unit tests happy
* Mitre mapping updates
* Fix query logic for service account role bindings
* Fix formatting in persistence_service_account_bound_to_clusterrole rule
2026-02-05 17:42:03 +01:00
00159a3eca
[Tuning] M365 Exchange Inbox Phishing Evasion Rule Created ( #5648 )
...
* Update defense_evasion_exchange_new_inbox_rule_delete_or_move.toml
* Update defense_evasion_exchange_new_inbox_rule_delete_or_move.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2026-02-05 10:02:57 -03:00
3cba3d7982
[Rule Tuning] Dormant & Deprecated Rule Clean-Up ( #5672 )
...
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [Rule Tuning] Dormant & Deprecated Rule Clean-Up
* [Rule Tuning] Dormant & Deprecated Rule Clean-Up
* Few more deprecations
* ++
* Update unit test syntax fix
* Update bad bytes
* ++
2026-02-05 13:24:21 +01:00
aff945cb70
[New Rules] ESQL LLM-Based Alert Triage Rules ( #5656 )
...
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2026-02-04 14:32:36 -06:00
94c17dff59
[New Rule] Execution via OpenClaw Agent ( #5666 )
2026-02-04 14:02:52 -06:00
e6fafc914e
[Rule Tuning] Unsigned DLL Side-Loading from a Suspicious Folder: Add Downloads path and fix subdirectory evasion ( #5592 )
...
* [Tuning] Unsigned DLL Side-Loading from a Suspicious Folder: Add Downloads path and fix subdirectory evasion
- Add Downloads folder to the suspicious paths list
- Modify directory matching logic from endswith~ to startswith~ to detect DLLs loaded from subdirectories of the executable's location
* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
Swap back to "endswith" and add chrome_elf.dll coverage.
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2026-02-04 14:16:14 -03:00
2b8fb44cb5
[New] SolarWinds Web Help Desk Java Module Load or Child Process ( #5665 )
...
* [New] Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL).
This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of
deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious
SQLite extensions and achieve remote code execution.
https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/
https://github.com/rapid7/metasploit-framework/pull/20917
* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-02-04 16:09:55 +00:00
fda9f00c2b
[Tuning] M365 Exchange Inbox Forwarding Rule Created ( #5647 )
...
* Update collection_exchange_new_inbox_rule.toml
* Update collection_exchange_new_inbox_rule.toml
* Update rules/integrations/o365/collection_exchange_new_inbox_rule.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/o365/collection_exchange_new_inbox_rule.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/o365/collection_exchange_new_inbox_rule.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-02-04 13:50:55 +00:00
d42ebdc3e6
[Tuning] Component Object Model Hijacking ( #5651 )
...
* Update persistence_suspicious_com_hijack_registry.toml
* Update persistence_suspicious_com_hijack_registry.toml
2026-02-04 13:23:40 +00:00
ed089d5d76
[Tuning] Svchost spawning Cmd ( #5649 )
...
* Update execution_command_shell_started_by_svchost.toml
* Update execution_command_shell_started_by_svchost.toml
2026-02-04 12:42:50 +00:00
362c459094
[New] Multiple Machine Learning Alerts by Influencer Field ( #5660 )
...
* [New] Multiple Machine Learning Alerts by Influencer Field
This rule uses alerts data to determine when multiple different machine learning alerts involving the same influencer field are triggered. Analysts can use this to prioritize triage and response, as these entities are more likely to be more suspicious.
* Update multiple_machine_learning_jobs_by_entity.toml
* Update multiple_machine_learning_jobs_by_entity.toml
* Update non-ecs-schema.json
* Update multiple_machine_learning_jobs_by_entity.toml
* Update non-ecs-schema.json
2026-02-04 12:25:59 +00:00
c455d3d98a
[Rule Tuning] Full Kubernetes Ruleset ( #5659 )
...
* [Rule Tuning] Full Kubernetes Ruleset
* ++
* Update manifests & schemas
* Update pyproject.toml
* Added "kubernetes.audit.userAgent" to non_ecs
* Updated kubernetes.audit.requestObject.spec.containers.image of type text to Keyword
* Apply suggestion from @Aegrah
* Apply suggestion from @Aegrah
* Update privilege_escalation_pod_created_with_hostnetwork.toml
* Apply suggestion from @Aegrah
* Update privilege_escalation_pod_created_with_hostipc.toml
* Apply suggestion from @Mikaayenson
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* ++
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-02-04 10:42:41 +01:00
7c03840737
[New Rules] Misc. D4C Rules re: (un)Authenticated API Access ( #5661 )
...
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [New Rules] Misc. D4C Rules related to (un)authenticated API Access
* Apply suggestion from @Aegrah
* [New Rule] Kubelet Certificate File Access Detected via Defend for Containers
* [New Rule] Kubeletctl Execution Detected via Defend for Containers
* [New Rule] Potential Kubeletctl Execution Detected via Defend for Containers
* [New Rule] Kubernetes Potential Endpoint Permission Enumeration Attempt Detected
* [New Rule] Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected
* [New Rule] Kubernetes Anonymous User Create/Update/Patch Pods Request
* [New Rule] Potential Cluster Enumeration via jq Detected via Defend for Containers
* Apply suggestion from @Aegrah
* Update execution_kubeletctl_execution.toml
2026-02-04 09:58:42 +01:00
c75fc7e487
[Rule Tuning] Mythic C2 AzureBlob Profile Endpoints ( #5663 )
...
Fixes #5662
2026-02-03 09:38:14 -05:00
ae88c095e9
[New Rule] Fortigate (FG-IR-26-060) Detections ( #5641 )
...
* initial FG-IR-26-060 rules
* adjusted investigation guides to proper formatting
* Update initial_access_fortigate_sso_login_from_unusual_source.toml
* Update and rename exfiltration_fortigate_config_download.toml to collection_fortigate_config_download.toml
* Update collection_fortigate_config_download.toml
* Apply suggestion from @Samirbous
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestion from @Samirbous
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestion from @Samirbous
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestion from @Samirbous
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* adjusting rules
* revert super admin
* adjusted source.ip to 'fortinet.firewall.ui'
* changing ESQL to EQL for non-aggregate queries
* added CISA reference
* adjusted interval and maxspan
* updating dates
* changed download rule to EQL
* added additional sso checks; linted previous rules
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2026-01-30 10:16:34 -05:00
6502ba61d7
[Rule Tuning] M365 Security Compliance Potential Ransomware Activity ( #5653 )
...
Fixes #5652
2026-01-30 09:57:56 -05:00
efd1756d49
Update impact_hosts_file_modified.toml ( #5655 )
2026-01-29 17:02:14 +00:00
fa56ae556e
[New Rule] Okta AiTM Session Cookie Replay Detection ( #5627 )
...
* New Rule: Okta AiTM Session Cookie Replay Detection
Fixes #5626
* added keep; linted
* adjusted logic to include UA 2+, fixed MITRE Mappings
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2026-01-29 08:58:59 -05:00
a2c1dd8575
[New] Suspicious FortiGate and Fortinet Logon rules ( #5640 )
...
* [New] Suspicious FortiGate Admin Logon rules
- First-Time FortiGate Administrator Login
- FortiGate Administrator Login from Multiple IP Addresses
* Update initial_access_fortigate_admin_login_multi_srcip.toml
* ++
* ++
* Create initial_access_newly_observed_frotinet_logon.toml
* Update initial_access_newly_observed_frotinet_logon.toml
* build schema and manifest for fortinet
* Update pyproject.toml
* Update initial_access_newly_observed_frotinet_logon.toml
* Revert "Update initial_access_newly_observed_frotinet_logon.toml"
This reverts commit 7b99828b9a28a8ad9cd156fbe33c92ea436041e0.
* Revert "Update pyproject.toml"
This reverts commit 025daf566fa1f2d7dffd83717f5a70a8285d62ca.
* Revert "build schema and manifest for fortinet"
This reverts commit a6234164f827b65a3d4b7580ef647bfefc34b658.
* ++
2026-01-28 17:56:56 +00:00
cee9f51b6d
[New] Newly Observed Process Exhibiting CPU Spike ( #5635 )
...
* [New] Newly Observed Process Exhibiting CPU Spike
This rule alerts on processes exhibiting CPU spike and that are observed for the first time in the previous 5 days. This behavior may indicate performance issues as well as potential suspicious software like cryptomining or exploit abusing system resources following compromise.
* Update impact_newly_observed_process_with_high_cpu.toml
* Update impact_newly_observed_process_with_high_cpu.toml
* Update impact_newly_observed_process_with_high_cpu.toml
* Update impact_newly_observed_process_with_high_cpu.toml
* Update rules/cross-platform/impact_newly_observed_process_with_high_cpu.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update impact_newly_observed_process_with_high_cpu.toml
* Update impact_newly_observed_process_with_high_cpu.toml
* Update impact_newly_observed_process_with_high_cpu.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2026-01-28 17:38:22 +00:00
2265717c41
chore: Fix lock version for 9.3.2 Release ( #5634 )
...
* Min stack mv_contains
2026-01-27 22:38:39 -05:00
3ee0a72a65
Add investigation guides ( #5630 )
2026-01-27 14:28:06 +05:30
7ff19b3497
[Rule Tuning] Accepted Default Telnet Port Connection ( #5629 )
...
* Add Additional Data Sources
2026-01-26 20:43:23 -05:00
2f9dc7af53
[Rule Tuning] PowerShell Rules Revamp - 2 ( #5623 )
...
* [Rule Tuning] PowerShell Rules Revamp - 2
* Update credential_access_mimikatz_powershell_module.toml
* Apply suggestions from code review
2026-01-26 19:35:05 -03:00
6843d11b09
[Rule Tuning] PowerShell Rules Revamp - 3 ( #5625 )
...
* [Rule Tuning] PowerShell Rules Revamp - 3
* Apply suggestion from @w0rk3r
2026-01-26 19:11:29 -03:00
fc55e8b308
[Rule Tuning] PowerShell Rules Revamp - 1 ( #5619 )
...
* [Rule Tuning] PowerShell Rules Revamp - 1
* bump
2026-01-26 19:01:48 -03:00
42e7f3b4ce
[New] Multiple Alerts on a Host Exhibiting CPU Spike ( #5621 )
...
* [New] Multiple Alerts on a Host Exhibiting CPU Spike
This rule correlates multiple security alerts from a host exhibiting unusually high CPU utilization within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.
* Update multiple_alerts_on_host_with_cpu_spike.toml
* Rename multiple_alerts_on_host_with_cpu_spike.toml to impact_alerts_on_host_with_cpu_spike.toml
* Update impact_alerts_on_host_with_cpu_spike.toml
* Update rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update non-ecs-schema.json
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-01-26 20:42:20 +00:00
b311044624
[Rule Tuning] Entra ID OAuth Phishing via First-Party Microsoft Application ( #5610 )
...
Fixes #5609
2026-01-26 14:55:18 -05:00
094f907144
[New] Detection Alert on a Process Exhibiting CPU Spike ( #5617 )
...
* [New] Detection Alert on a Process Exhibiting CPU Spike
This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.
* Update securityt_alert_from_a_process_with_cpu_spike.toml
* Update securityt_alert_from_a_process_with_cpu_spike.toml
* Update rules/cross-platform/securityt_alert_from_a_process_with_cpu_spike.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Rename securityt_alert_from_a_process_with_cpu_spike.toml to security_alert_from_a_process_with_cpu_spike.toml
* Update security_alert_from_a_process_with_cpu_spike.toml
* Rename security_alert_from_a_process_with_cpu_spike.toml to impact_alert_from_a_process_with_cpu_spike.toml
* Update impact_alert_from_a_process_with_cpu_spike.toml
* Update non-ecs-schema.json
* Update rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2026-01-26 17:42:31 +00:00
6d9eef48b0
[New] Multiple Vulnerabilities by Asset via Wiz ( #5598 )
...
* [New] Wiz - Multiple Vulnerabilities by Container
* Update multiple_vulnerabilities_wiz_by_container.toml
* Update multiple_vulnerabilities_wiz_by_container.toml
* add wiz manif and schema
* Update multiple_vulnerabilities_wiz_by_container.toml
* Update multiple_vulnerabilities_wiz_by_container.toml
* Update pyproject.toml
* Update multiple_vulnerabilities_wiz_by_container.toml
* ++
* Update external_alerts.toml
* Update multiple_vulnerabilities_wiz_by_container.toml
* Delete detection_rules/etc/integration-manifests.json.gz
* Revert "add wiz manif and schema"
This reverts commit a1e9e7440dcb46ea2abebec834cfc0291e3b60ae.
* Revert "Update pyproject.toml"
This reverts commit 47ab9d2dc8239207126b8512006f353a3fd4affc.
* update manifest and schema for wiz
2026-01-26 17:26:17 +00:00
88e0b14709
[Tuning] ESQL Dynamic unique value fields ( #5569 )
...
* [Tuning] Extract dynamic field with 1 value to ECS fields for alerts exclusion
Extract dynamic field with 1 value to ECS fields for alerts exclusion:
Esql.host_id_values -> host.is
Esql.agent_id_values -> agent.id
Esql.host_name_values -> host.name
* Update multiple_alerts_by_host_ip_and_source_ip.toml
* Update newly_observed_elastic_defend_alert.toml
* Update defense_evasion_base64_decoding_activity.toml
* Update discovery_subnet_scanning_activity_from_compromised_host.toml
* Update persistence_web_server_sus_command_execution.toml
* Update persistence_web_server_sus_child_spawned.toml
* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/linux/impact_potential_bruteforce_malware_infection.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/cross-platform/newly_observed_elastic_defend_alert.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/cross-platform/newly_observed_elastic_detection_rule.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/windows/credential_access_rare_webdav_destination.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update credential_access_rare_webdav_destination.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-01-26 16:34:16 +00:00
edf28367e4
[New] Lateral Movement Alerts from a Newly Observed Entity ( #5557 )
...
* [New] Lateral Movement Alerts from a Newly Observed Entity
High-order rules to prioritize lateral movement alerts triage (detects multiple lateral movement alerts from a source.ip or user.id that was observed for the first time in the previous 5 days).
* Update lateral_movement_multi_alerts_new_userid.toml
* Update lateral_movement_multi_alerts_new_srcip.toml
* Update lateral_movement_multi_alerts_new_userid.toml
* Update lateral_movement_multi_alerts_new_userid.toml
* Update lateral_movement_multi_alerts_new_userid.toml
* Update rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/cross-platform/lateral_movement_multi_alerts_new_srcip.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/cross-platform/lateral_movement_multi_alerts_new_userid.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Apply suggestion from @Mikaayenson
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update lateral_movement_multi_alerts_new_userid.toml
* Update lateral_movement_multi_alerts_new_srcip.toml
* Update lateral_movement_multi_alerts_new_userid.toml
* Update lateral_movement_multi_alerts_new_userid.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-01-26 16:21:27 +00:00
6626475119
[Rule Tuning] Several Community DR Issues ( #5615 )
...
* [Rule Tuning] Suspicious Network Connection via systemd
* [Rule Tuning] Systemd-udevd Rule File Creation
* ++
2026-01-26 17:08:49 +01:00
c5b64c9fbf
[New/Tuning] General API Abuse D4C/K8s Rules ( #5591 )
...
* [New/Tuning] General API Abuse D4C/K8s Rules
* [New Rule] DNS Enumeration Detected via Defend for Containers
* [New Rule] Tool Enumeration Detected via Defend for Containers
* [New Rule] Tool Installation Detected via Defend for Containers
* Service Account File Reads
* [New Rule] Direct Interactive Kubernetes API Request Detected via Defend for Containers
* Rule name update
* [New Rules] D4C K8S MDA API Request Rules
* Add 'tor' to the list of allowed process args
* ++
* ++
* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update description
* Update rules/integrations/cloud_defend/execution_tool_installation.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/cloud_defend/execution_tool_installation.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/cloud_defend/execution_tool_installation.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-01-26 16:59:14 +01:00
57599e3796
[New Rule] Curl SOCKS Proxy Detected via Defend for Containers ( #5596 )
...
* [New Rule] Curl SOCKS Proxy Detected via Defend for Containers
* Added reference
* Update rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update time range for cloud defend rule
* Update rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2026-01-26 16:46:59 +01:00
fe4418d7f5
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset ( #5561 )
...
* [New Rules] Reintroduction of Defend for Containers (D4C) Ruleset
* ++
* Removed Reintroduced Rules from Deprecated Folder
* Updated Rule Names
* Added maturity field
* [Update] Large D4C Compatibility Overhaul
* Added busybox
* Remove file that was accidently added in this PR
* Creation date revert
* ++
* Update pyproject.toml
* ++
* ++
* Update
* Update schemas/manifests
* ++
2026-01-26 16:37:34 +01:00
3b6302a0c5
Update credential_access_multi_could_secrets_via_api.toml ( #5618 )
2026-01-26 15:21:18 +00:00
bbe83452b4
Revert "[Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules ( #5578 )" ( #5620 )
...
This reverts commit c608b673bf
2026-01-26 08:31:53 -06:00
7221db6b36
[Tuning] Potential Ransomware Behavior - Note Files by System ( #5595 )
...
* [Tuning] Potential Ransomware Behavior - Note Files by System
added host.id and removed noisy patterns (writes to non C drive)
* Update impact_high_freq_file_renames_by_kernel.toml
* Apply suggestion from @Mikaayenson
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update impact_high_freq_file_renames_by_kernel.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-01-26 13:15:54 +00:00
30c7833f08
[Tuning] Rare Connection to WebDAV Target ( #5604 )
...
* Update credential_access_rare_webdav_destination.toml
* Update credential_access_rare_webdav_destination.toml
* Update credential_access_rare_webdav_destination.toml
* Update credential_access_rare_webdav_destination.toml
* Update credential_access_rare_webdav_destination.toml
* Update credential_access_rare_webdav_destination.toml
2026-01-26 12:51:09 +00:00
shashank-elastic