* [New] AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure
Detects AWS access keys that are used from both GitHub Actions CI/CD infrastructure and non-CI/CD infrastructure. This pattern indicates potential credential theft where an attacker who has stolen AWS credentials configured as GitHub Actions secrets and is using them from their own infrastructure.
* Update initial_access_github_actions_oidc_credentials_used_from_suspicious_network.toml
* ++
* Update initial_access_github_actions_oidc_credentials_used_from_suspicious_network.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* [New] AWS Rare Source AS Organization Activity
Surfaces an AWS identity whose successful API traffic is dominated by a small set of large cloud-provider source AS organization labels, yet also shows a very small share of traffic from other AS organization names—including at least one sensitive control-plane, credential, storage, or model-invocation action on that uncommon network path with recent
activity from the uncommon path. The intent is to highlight disproportionate “baseline” cloud egress versus sparse use from rarer networks on the same principal, a shape that can appear when automation or CI credentials are reused or pivoted outside their usual hosted-cloud footprint.
* Apply suggestion from @eric-forte-elastic
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Update initial_access_aws_api_unusual_asn.toml
* Update initial_access_aws_api_unusual_asn.toml
* Update initial_access_aws_api_unusual_asn.toml
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* [New] Long Base64 Encoded Command via Scripting Interpreter
Identifies oversized command lines used by Python, PowerShell, Node.js, or Deno that contain base64 decoding or encoded-command patterns. Adversaries may embed long inline encoded payloads in scripting interpreters to evade inspection and execute malicious content across Windows, macOS, and Linux systems.
* Update defense_evasion_long_base64_encoded_interpreter_command_line.toml
* Update defense_evasion_long_base64_encoded_interpreter_command_line.toml
* [New Rules] AWS Long-Term Creds Abuse Coverage
This adds a two-layer approach to long-term IAM access key (AKIA*) abuse, aligned with reporting on stolen or leaked keys often abused as seen in Kudelski Security — Trivy supply-chain report.
### Layer 1 — AWS Long-Term Access Key First Seen from Source IP (9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f)
New Terms on CloudTrail when a given AKIA succeeds from a new `source.ip` in the history window.
Goal: catch novel use of a durable key (travel, new egress, or attacker infrastructure).
### Layer 2 — AWS Long-Term Access Key Correlated with Elevated Detection Alerts
Higher-order rule on open alerts that requires both the Layer 1 rule and at least one other open alert on the same `source.ip` at medium+ severity (or equivalent risk score).
Goal: raise priority when “new IP for this key” happens together with stronger, post-compromise-style signals.
The higher-order rule correlates on `source.ip` in .alerts-security.* index. In testing, I chose to tie the same sessions together using `source.ip` vs `access_key.id` because the alerts index did not expose this field for queries.
Screenshots below show testing that verified the approach. The same operator/session across Layer 1 rule, the sibling alert, and the Layer 2 correlation rule for two separate lab scenarios (e.g. a high-severity sibling rule and a medium-severity sibling rule).
* adding IAM to rule names
* removing unnecessary ref
* Fixed Mitre tactics and tags
* [New Rules] AWS IAM Long-Term Creds Abuse Coverage
Adding min_stack to rule using the field user.entity.id, we determined AWS version 4.7.0 is compatible with Kibana versions '^8.19.4 || ^9.1.4'. We reverted the initial PR and this one adds the min_stack_version.
Original PR: - https://github.com/elastic/detection-rules/pull/5918
Revert PR: - https://github.com/elastic/detection-rules/pull/5923
* [New Rules] AWS Long-Term Creds Abuse Coverage
This adds a two-layer approach to long-term IAM access key (AKIA*) abuse, aligned with reporting on stolen or leaked keys often abused as seen in Kudelski Security — Trivy supply-chain report.
### Layer 1 — AWS Long-Term Access Key First Seen from Source IP (9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f)
New Terms on CloudTrail when a given AKIA succeeds from a new `source.ip` in the history window.
Goal: catch novel use of a durable key (travel, new egress, or attacker infrastructure).
### Layer 2 — AWS Long-Term Access Key Correlated with Elevated Detection Alerts
Higher-order rule on open alerts that requires both the Layer 1 rule and at least one other open alert on the same `source.ip` at medium+ severity (or equivalent risk score).
Goal: raise priority when “new IP for this key” happens together with stronger, post-compromise-style signals.
The higher-order rule correlates on `source.ip` in .alerts-security.* index. In testing, I chose to tie the same sessions together using `source.ip` vs `access_key.id` because the alerts index did not expose this field for queries.
Screenshots below show testing that verified the approach. The same operator/session across Layer 1 rule, the sibling alert, and the Layer 2 correlation rule for two separate lab scenarios (e.g. a high-severity sibling rule and a medium-severity sibling rule).
* adding IAM to rule names
* removing unnecessary ref
* Fixed Mitre tactics and tags
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [New Rule] AWS S3 Rapid Bucket Posture API Calls from a Single Principal
Detects the same principal (`aws.cloudtrail.user_identity.arn`) from the same `source.ip` successfully calling a tight set of read-only S3 management APIs: ``` GetBucketAcl, GetBucketPublicAccessBlock, GetBucketPolicy, GetBucketPolicyStatus, GetBucketVersioning ``` against more than 15 distinct buckets (`aws.cloudtrail.resources.arn`) within a 10-second window.
The idea is grounded in cloud reconnaissance and scanner-style behavior discussed in Kudelski Security’s analysis of the Trivy supply chain story and related cloud activity. It explicitly called out automated assessment tooling and posture-oriented API use across ~24 buckets in a short time. It also highlighted the user's blind spot in telemetry with no Data events captured for S3 buckets. So would need to rely on management APIs for detection.
All our existing detections related to S3 rely on Data events and we have no explicit detections for scanner style recon sweeps as described in this threat report.
### Rule Design
- ES|QL with date_trunc(10 seconds, …) and count_distinct(aws.cloudtrail.resources.arn) grouped by time bucket, identity ARN, and source.ip.
- Management level API calls that are commonly used to identify bucket posture including public accessibility status and whether or not versioning is enabled (necessary info for ransomeware objectives)
- Excludes AWSService, requires source.ip, non-null aws.cloudtrail.resources.arn and user_identity.arn, and session_credential_from_console IS NULL to capture programmatic sessions over console behavior.
- Threshold 15 after evaluating rule in production environment to reduce noise from benign scanners and automation.
- low severity as this rule is FP prone until users add exclusions for known scanner behaviors specific to their environment
* correcting highlighted fields
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [New Rule][Rule Tuning] AWS Organizations/Account Discovery Coverage
In response to the supply chain attack highlighted in (Kudelski’s Trivy / TeamPCP analysis)[https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise], I've added coverage for AWS Organization and Account reconnaissance which was called out in the research.
### AWS Discovery API Calls via CLI from a Single Resource
- Expanded our existing Multi-service discovery rule to include `event.provider: oraganizations.amazonaws.com`
- added the new `aws.cloudtrail.session_credential_from_console` field to exclude console behavior from this rule, and added appropriate `min_stack` to account for introduction of the field.
GAP: This rule detects aws-cli usage only. In the mentioned reference, attackers used Botocore and Boto3 tooling for this recon activity.
SOLUTION:
### AWS Account Discovery By Rare User
- Created a new Discovery rule focused solely on Organization/Account reconnaissance.
- Made it a new terms rule to reduce false positive noise from common behavior that might be seen using Boto3 or Botocore tooling.
- excluded console session behavior and service account behavior
Testing:
- Ran PACU's organization__enum module
- created a script that can be run to validate the query
- plenty of test data in our stack to run the query against
* Update rules/integrations/aws/discovery_organization_discovery_by_rare_user.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* Expand AWS CloudTrail user-agent rule for TruffleHog and Kali
- Rename rule file to initial_access_suspicious_user_agent_detected_in_cloudtrail.toml
- Rule name: AWS Suspicious User Agent Fingerprint
- Match TruffleHog in user_agent.original (successful API calls)
- Retain Kali Linux distrib#kali fingerprint for aws-cli/Boto3
- Refresh narrative and references (incl. Kudelski Trivy supply-chain analysis)
Same rule_id f80ea920-f6f5-4c8a-9761-84ac97ec0cb2.
Made-with: Cursor
* Apply suggestion from @terrancedejesus
* Update euid job ids and min stack version
* Update euid job ids and min stack version
* Update job suffix from _euid to _ea
* Update pad okta rules
* Update min_stack_comments
* Update gcp audit rules
* Update rules based on new changes
* Add rule for v3_windows_rare_script_ea job
* Update updated_date for rule to pass test
* Remove integrations-only changes (moved to euid-rules-update-integrations branch)
DED, DGA, LMD, PAD, and ProblemChild ML rule changes have been moved to the
euid-rules-update-integrations branch which corresponds to integrations#17626.
This branch (euid-rules-update) now only contains Kibana-related ML rule changes.
Made-with: Cursor
* Update stale updated_date to 2026/04/01 across all modified ML rules
Made-with: Cursor
* Bump min_stack_version from 9.3.0 to 9.4.0 in azure/gcp city/country/user rules
Made-with: Cursor
* Add min_stack_comments to those missing
* [New] Elastic Defend Alert from Package Manager Install Ancestry
Detects Elastic Defend alerts (behavior, malicious file, memory signature, shellcode) where the alerted process has a package-manager install context in its ancestry: npm (Node.js), PyPI (pip / Python / uv), or Rust (cargo). Install-time spawn chains are a common path for supply-chain and postinstall abuse; this Higher-Order rule surfaces Defend alerts
whose process tree includes such activity for prioritization.
* Update initial_access_elastic_defend_alert_package_manager_ancestor.toml
* Update rules/cross-platform/initial_access_elastic_defend_alert_package_manager_ancestor.toml
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Update rules/cross-platform/initial_access_elastic_defend_alert_package_manager_ancestor.toml
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Update initial_access_elastic_defend_alert_package_manager_ancestor.toml
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* [New] Potential Credential Discovery via Recursive Grep
Identifies recursive grep activity on Linux or macOS where the command line suggests hunting for secrets, credentials,
keys, tokens, or sensitive paths (for example .env, .git, .aws). Events are aggregated per host, user, parent process, and one-minute window, the rule surfaces activity only when at least three distinct grep command lines match in the same bucket, to reduce noise from one-off searches.
* Update credential_access_grep_recursive_credential_discovery.toml
* Update rules/cross-platform/credential_access_grep_recursive_credential_discovery.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* Update rules/cross-platform/credential_access_grep_recursive_credential_discovery.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* Update credential_access_grep_recursive_credential_discovery.toml
* Update credential_access_grep_recursive_credential_discovery.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
shashank-elastic