d8a39869c5
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 ( #5909 )
...
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2026-04-22 17:36:35 +05:30
9736407ef3
[FR] [DAC] Initial Yaml Support ( #5821 )
...
* Initial Yaml Support
2026-04-10 11:29:15 -04:00
984be4a1ac
[Bug] Small bugfix to address update navigator edge case ( #5942 )
...
* [Bug] Small bugfix to address update navigator edge case
2026-04-10 08:53:56 -04:00
1503976d10
[FR] Load ECS mapping based on supplied stack version ( #5925 )
...
* Load ECS mapping based on supplied stack version
2026-04-09 12:40:10 -04:00
c601edfbb3
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5930 )
2026-04-08 19:44:16 +05:30
88bc42265f
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5926 )
2026-04-07 17:45:00 +05:30
48128c1c66
[Rule Tuning] Entra ID Illicit Consent Grant via Registered Application - Fix New Terms Field ( #5894 )
...
* [Rule Tuning] Entra ID Illicit Consent Grant via Registered Application - Fix New Terms Field
Fixes #5893
* adding non-admin consented filter
* converting to ESQL
* additional query adjustments
* adjusted query KEEP
* updating non-ecs
* Apply suggestion from @terrancedejesus
2026-04-06 09:40:21 -04:00
199a4d6160
Monthly Manifest and Schema Updation ( #5920 )
2026-04-06 17:35:33 +05:30
d9890db6ff
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5888 )
...
* Locked versions for releases: 8.19,9.1,9.2,9.3
* Update pyproject.toml
---------
Co-authored-by: Mikaayenson <Mikaayenson@users.noreply.github.com >
2026-03-26 12:31:50 -05:00
cd19b25485
[New Rule] M365 Azure Monitor Alert Email with Financial or Billing Theme ( #5878 )
...
* [New Rule] M365 Azure Monitor Alert Email with Financial or Billing Theme
Fixes #5877
* adding microsoft_exchange_online_message_trace to manifests/schemas; bumping patch
* updated mitre
* Update rules/integrations/microsoft_exchange_online_message_trace/initial_access_azure_monitor_callback_phishing_email.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* bumping patch
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2026-03-26 10:50:15 -05:00
75ffa5ec4e
[FR] [DaC] Add fine-grained bypass env var for ES|QL keep and metadata validation ( #5869 )
...
* Add fine grain 'keep' req bypass
* Add metadata bypass
2026-03-24 14:36:45 -04:00
b14dec9efa
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5875 )
2026-03-23 23:45:25 +05:30
ade7de7be4
[New Rules] External Promotion Alert for IBM QRadar ( #5843 )
2026-03-20 14:42:43 -05:00
cb5b89f83e
[FR] Includes deprecated rule stubs to the package for upstream testing ( #5813 )
...
* adds scripting to include deprecated rule stubs in package
* remove deprecated manifest from package
* adds 9.4 gate
* bump version
* fix merge conflict
* test
* revert commit hash
* adds deprecated_reason logic from comment
* fix lint error
* fix lint error
* fix formatting
* test
* revert commit hash
* Update detection_rules/packaging.py
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-03-18 14:34:25 -05:00
8b140d5811
[Rule Tuning] Added Traefik Compatibility to Web Server Access Rules ( #5837 )
...
* [Rule Tuning] Added Traefik Compatibility to Web Server Access Rules
* ++
* Bump pyproject.toml
* Bump pyproject.toml
2026-03-17 17:28:47 +01:00
937a7a35e6
[New Rule] Azure Arc Kubernetes Cluster Connect Abuse ( #5824 )
...
* [New Rule] Azure Arc Kubernetes Cluster Connect Abuse
Fixes #5823
* rename, adjusted query
* adding KEEP *
* adjusting maturity
* added to non-ecs schema
* updating rule
* addressing unit test failures
* adjustments to logic, mitre mappings, unit test failures, etc.
* Update rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-03-17 11:06:47 -04:00
49c9c283e6
[FR] Reset deprecated lock to the latest state during lock ( #5827 )
2026-03-16 17:04:56 -05:00
57bf1546dd
[Bug] [DAC] Add filtering to export-rules-from-repo ( #5769 )
...
* Add filtering to export-rules-from-repo
2026-03-10 13:03:52 -04:00
61211a2670
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5820 )
2026-03-10 18:49:55 +05:30
87badac5a0
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5818 )
2026-03-10 15:33:16 +05:30
26d37dd62e
[Bug] Ignore Other Keep Wildcards ( #5792 )
...
* Ignore other Keep Wildcards
* Added a unit test for multiple keeps
* Add keep star unit tests
2026-03-09 19:33:27 -04:00
e08f234b1c
Monthly Manifest and Schema Updation ( #5816 )
...
* Monthly Manifest and Schema Updation
* Update Patch Version
2026-03-09 08:15:06 -05:00
5ecbc0f0b9
[New Rule] Microsoft 365 SharePoint/OneDrive Sensitive Search and File Access ( #5777 )
...
* [New Rule] Microsoft 365 SharePoint/OneDrive Sensitive Search and File Access
Fixes #5776
* adjusting UUIDs
* added additional strings
* adjusted investigation guide
* fixed mitre mappings
* fixed mitre mappings
* Apply suggestion from @terrancedejesus
2026-02-26 14:29:14 -05:00
71c461d867
[New Rule] M365 MFA Notification Email Deleted or Moved ( #5779 )
...
* [New Rule] M365 MFA Notification Email Deleted or Moved
Fixes #5778
* updated non-ecs
* adjusted rule name
* Apply suggestion from @terrancedejesus
2026-02-26 13:21:08 -05:00
8593116f58
[New Rule] Okta User Authentication via Proxy Followed by Security Alert ( #5752 )
...
* [New Rule] Okta User Authentication via Proxy Followed by Security Alert
Fixes #5751
* adjusted to EQL
* fixed syntax
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* removed defense evasion; adjusted maxspan to 30m
* removed Okta tag
* adding Okta back as integration tag
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2026-02-26 11:32:25 -05:00
04ad018f27
[Rule Tuning] M365 OneDrive/SharePoint Excessive File Downloads ( #5767 )
...
* [Rule Tuning] M365 OneDrive/SharePoint Excessive File Downloads
Fixes #5766
* updated non-ecs
* fixing keep command
2026-02-26 10:38:59 -05:00
201660af36
[Bug] Adding Deprecated Rules to Rules Package Breaks Current Package Build ( #5773 )
...
* applying patch fix for historical rules and deprecated JSON object
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2026-02-24 13:54:46 -05:00
92a379e034
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5765 )
2026-02-24 18:49:27 +05:30
5adc118f92
[Bug] ES|QL Validation Add Reverse Lookup Check Against Kibana Value ( #5747 )
...
* Add reverse lookup check against Kibana value
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-02-20 15:29:51 -05:00
a1c3267529
[FR] Add deprecated file to release for upstream testing ( #5749 )
2026-02-20 14:16:27 -06:00
f773103519
[Rule Tuning] Entra ID Federated Identity Credential Persistence Detection ( #5702 )
...
* [Rule Tuning] Entra ID Federated Identity Credential Persistence Detection
Fixes #5701
* updated mitre mapping ID
* adjusted mitre mappings; non-ecs schema file
* fixed trailing comma in non-ecs; adjusted file name
* adjusted file name; fixed non-ecs schema for upstream ESQL validation
* Apply suggestion from @terrancedejesus
* Apply suggestion from @terrancedejesus
* changed lookback to 9 minutes; adjusted keep values
* added setup; added tag
2026-02-19 15:58:12 -05:00
63f76cf004
[Rule Tuning] Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client ( #5681 )
...
* [Rule Tuning] Transform Dormant SharePoint Rule to Detect OAuth Phishing
Fixes #5680
* adjusted query format for unit test; added additional domain tag for storage
* Apply suggestion from @terrancedejesus
* Fix formatting in non-ecs-schema.json
* adjusted description
* re-order mappings
2026-02-19 10:09:15 -05:00
62cc9f105d
[Rule Tuning] Okta User Assigned Administrator Role ( #5671 )
...
Fixes #5670
2026-02-12 09:33:25 -05:00
f306404fe5
[Bug] CLI adds frequency field to system actions (.cases), causing import failure ( #5690 )
...
* No frequency field to cases
2026-02-11 15:18:20 -05:00
f74c04d11a
[Bug] ESQL validation keep Clause Reported Missing Metadata Fields ( #5717 )
...
* Update Keep Field to Handle Comments
* Update for handling inline comments
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2026-02-11 15:02:23 -05:00
df9c27d82e
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5708 )
2026-02-10 11:14:23 +05:30
70d7f2b6b1
Monthly Manifest and Schema Updation ( #5697 )
2026-02-10 09:17:04 +05:30
64a08cd6af
[New Rules] Misc. K8s RBAC Abuse Rules ( #5673 )
...
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [New Rules] Misc. K8s RBAC Abuse Rules
* --
* Update non-ecs-schema
* Update to make unit tests happy
* Mitre mapping updates
* Fix query logic for service account role bindings
* Fix formatting in persistence_service_account_bound_to_clusterrole rule
2026-02-05 17:42:03 +01:00
694376bd7a
[Bug] Fix UTF-8 Encoding for Rule File Operations ( #5684 )
...
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [Bug] Fix UTF-8 Encoding for Rule File Operations
2026-02-05 14:21:30 +01:00
362c459094
[New] Multiple Machine Learning Alerts by Influencer Field ( #5660 )
...
* [New] Multiple Machine Learning Alerts by Influencer Field
This rule uses alerts data to determine when multiple different machine learning alerts involving the same influencer field are triggered. Analysts can use this to prioritize triage and response, as these entities are more likely to be more suspicious.
* Update multiple_machine_learning_jobs_by_entity.toml
* Update multiple_machine_learning_jobs_by_entity.toml
* Update non-ecs-schema.json
* Update multiple_machine_learning_jobs_by_entity.toml
* Update non-ecs-schema.json
2026-02-04 12:25:59 +00:00
59e394f36b
[doc fix] Adjust wording in the docs for Kibana import/export commands ( #5600 )
...
* Wording fix
* Version bump
* Style fixes
* Style fix for tests
2026-02-04 11:17:58 +01:00
c455d3d98a
[Rule Tuning] Full Kubernetes Ruleset ( #5659 )
...
* [Rule Tuning] Full Kubernetes Ruleset
* ++
* Update manifests & schemas
* Update pyproject.toml
* Added "kubernetes.audit.userAgent" to non_ecs
* Updated kubernetes.audit.requestObject.spec.containers.image of type text to Keyword
* Apply suggestion from @Aegrah
* Apply suggestion from @Aegrah
* Update privilege_escalation_pod_created_with_hostnetwork.toml
* Apply suggestion from @Aegrah
* Update privilege_escalation_pod_created_with_hostipc.toml
* Apply suggestion from @Mikaayenson
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* ++
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-02-04 10:42:41 +01:00
8b8c0beec7
Lock versions for releases: 8.19,9.1,9.2,9.3 ( #5639 )
2026-01-28 18:37:52 +05:30
d252cae4ee
Ignore Keep * for ES|QL hash calc ( #5638 )
...
* Ignore Keep * for ES|QL hash calc
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-01-27 23:01:27 -05:00
070b457659
Test remote_cli update test indices
2026-01-27 20:08:19 +05:30
7ff19b3497
[Rule Tuning] Accepted Default Telnet Port Connection ( #5629 )
...
* Add Additional Data Sources
2026-01-26 20:43:23 -05:00
42e7f3b4ce
[New] Multiple Alerts on a Host Exhibiting CPU Spike ( #5621 )
...
* [New] Multiple Alerts on a Host Exhibiting CPU Spike
This rule correlates multiple security alerts from a host exhibiting unusually high CPU utilization within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.
* Update multiple_alerts_on_host_with_cpu_spike.toml
* Rename multiple_alerts_on_host_with_cpu_spike.toml to impact_alerts_on_host_with_cpu_spike.toml
* Update impact_alerts_on_host_with_cpu_spike.toml
* Update rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update non-ecs-schema.json
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-01-26 20:42:20 +00:00
094f907144
[New] Detection Alert on a Process Exhibiting CPU Spike ( #5617 )
...
* [New] Detection Alert on a Process Exhibiting CPU Spike
This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.
* Update securityt_alert_from_a_process_with_cpu_spike.toml
* Update securityt_alert_from_a_process_with_cpu_spike.toml
* Update rules/cross-platform/securityt_alert_from_a_process_with_cpu_spike.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Rename securityt_alert_from_a_process_with_cpu_spike.toml to security_alert_from_a_process_with_cpu_spike.toml
* Update security_alert_from_a_process_with_cpu_spike.toml
* Rename security_alert_from_a_process_with_cpu_spike.toml to impact_alert_from_a_process_with_cpu_spike.toml
* Update impact_alert_from_a_process_with_cpu_spike.toml
* Update non-ecs-schema.json
* Update rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2026-01-26 17:42:31 +00:00
6d9eef48b0
[New] Multiple Vulnerabilities by Asset via Wiz ( #5598 )
...
* [New] Wiz - Multiple Vulnerabilities by Container
* Update multiple_vulnerabilities_wiz_by_container.toml
* Update multiple_vulnerabilities_wiz_by_container.toml
* add wiz manif and schema
* Update multiple_vulnerabilities_wiz_by_container.toml
* Update multiple_vulnerabilities_wiz_by_container.toml
* Update pyproject.toml
* Update multiple_vulnerabilities_wiz_by_container.toml
* ++
* Update external_alerts.toml
* Update multiple_vulnerabilities_wiz_by_container.toml
* Delete detection_rules/etc/integration-manifests.json.gz
* Revert "add wiz manif and schema"
This reverts commit a1e9e7440dcb46ea2abebec834cfc0291e3b60ae.
* Revert "Update pyproject.toml"
This reverts commit 47ab9d2dc8239207126b8512006f353a3fd4affc.
* update manifest and schema for wiz
2026-01-26 17:26:17 +00:00
c5b64c9fbf
[New/Tuning] General API Abuse D4C/K8s Rules ( #5591 )
...
* [New/Tuning] General API Abuse D4C/K8s Rules
* [New Rule] DNS Enumeration Detected via Defend for Containers
* [New Rule] Tool Enumeration Detected via Defend for Containers
* [New Rule] Tool Installation Detected via Defend for Containers
* Service Account File Reads
* [New Rule] Direct Interactive Kubernetes API Request Detected via Defend for Containers
* Rule name update
* [New Rules] D4C K8S MDA API Request Rules
* Add 'tor' to the list of allowed process args
* ++
* ++
* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update description
* Update rules/integrations/cloud_defend/execution_tool_installation.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/cloud_defend/execution_tool_installation.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/cloud_defend/execution_tool_installation.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2026-01-26 16:59:14 +01:00
Susan