Merge branch 'main' into update-date-metadata-logic

Author: aarju

rules/cross-platform/initial_access_azure_o365_with_network_alert.toml

@@ -2,12 +2,12 @@
 creation_date = "2025/04/29"
 integration = ["azure", "o365"]
 maturity = "production"
-updated_date = "2025/07/30"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule correlate Azure or Office 356 mail successful sign-in events with network security alerts by source.ip.
+This rule correlate Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address.
 Adversaries may trigger some network security alerts such as reputation or other anomalies before accessing cloud
 resources.
 """
@@ -19,10 +19,10 @@ false_positives = [
 from = "now-60m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft 365 or Entra ID Sign-in from a Suspicious Source"
+name = "M365 or Entra ID Identity Sign-in from a Suspicious Source"
 note = """## Triage and analysis
 
-### Investigating Microsoft 365 or Entra ID Sign-in from a Suspicious Source
+### Investigating M365 or Entra ID Identity Sign-in from a Suspicious Source
 
 #### Possible investigation steps
 
@@ -82,7 +82,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
 | where @timestamp > now() - 8 hours
 // filter for azure or m365 sign-in and external alerts with source.ip not null
 | where to_ip(source.ip) is not null
-  and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.name == "External Alerts")
+  and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa")
   and not cidr_match(
     to_ip(source.ip),
     "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
@@ -93,13 +93,13 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
   )
 
 // capture relevant raw fields
-| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.name, event.category
+| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.rule_id, event.category
 
 // classify each source ip based on alert type
 | eval
   Esql.source_ip_mail_access_case = case(event.dataset == "o365.audit" and event.action == "MailItemsAccessed" and event.outcome == "success", to_ip(source.ip), null),
   Esql.source_ip_azure_signin_case = case(event.dataset == "azure.signinlogs" and event.outcome == "success", to_ip(source.ip), null),
-  Esql.source_ip_network_alert_case = case(kibana.alert.rule.name == "external alerts" and not event.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null)
+  Esql.source_ip_network_alert_case = case(kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa" and not event.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null)
 
 // aggregate by source ip
 | stats
@@ -109,7 +109,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
     Esql.source_ip_network_alert_case_count_distinct = count_distinct(Esql.source_ip_network_alert_case),
     Esql.event_dataset_count_distinct = count_distinct(event.dataset),
     Esql.event_dataset_values = values(event.dataset),
-    Esql.kibana_alert_rule_name_values = values(kibana.alert.rule.name),
+    Esql.kibana_alert_rule_id_values = values(kibana.alert.rule.rule_id),
     Esql.event_category_values = values(event.category)
   by Esql.source_ip = to_ip(source.ip)
 

rules/cross-platform/initial_access_execution_susp_react_serv_child.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/08"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -101,12 +101,11 @@ process where event.type == "start" and event.action in ("exec", "executed", "st
 )
 and (
   ?process.working_directory : (
-    "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*--experimental-https*", "*app/server*",
-    "*.pnpm/next*", "*/app/*", "*next/dist/server*", "*react-scripts*") or
+    "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*.pnpm/next*", "*next/dist/server*", "*react-scripts*") or
   (
     process.parent.name in ("node", "bun", "node.exe", "bun.exe") and
     process.parent.command_line : (
-      "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*next-server*", "*server.js*", "*bin/next*",
+      "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*next-server*", "* server.js*",  "*start-server.js*", "*bin/next*",
       "*--experimental-https*", "*app/server*", "*.pnpm/next*", "*next start*", "*next dev*", "*react-scripts start*", "*next/dist/server*"
     )
   )

…harepoint_access_for_user_principal.toml …harepoint_access_for_user_principal.tomlrules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml renamed to rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml renamed to rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/05/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/07"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -30,10 +30,10 @@ from = "now-9m"
 index = ["logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker"
+name = "Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID SharePoint Access for User Principal via Auth Broker
+### Investigating Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client
 
 This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions.
 

rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/05/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/08"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -18,10 +18,10 @@ from = "now-9m"
 index = ["logs-azure.graphactivitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Suspicious Email Access by First-Party Application via Microsoft Graph"
+name = "Microsoft Graph Request Email Access by Unusual User and Client"
 note = """## Triage and analysis
 
-### Investigating Suspicious Email Access by First-Party Application via Microsoft Graph
+### Investigating Microsoft Graph Request Email Access by Unusual User and Client
 
 This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related APIs, such as `/me/messages`, `/sendMail`, or `/mailFolders/inbox/messages`. These accesses are performed via delegated user credentials using common OAuth scopes like `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, or `email`. This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`) and user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) have not been seen doing this activity in the last 14 days.
 

rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/12/02"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/12/02"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -20,10 +20,10 @@ false_positives = [
 from = "now-9m"
 language = "esql"
 license = "Elastic License v2"
-name = "Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode"
+name = "Entra ID OAuth Device Code Flow with Concurrent Sign-ins"
 note = """## Triage and analysis
 
-### Investigating Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode
+### Investigating Entra ID OAuth Device Code Flow with Concurrent Sign-ins
 
 ### Possible investigation steps
 

rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -23,10 +23,10 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Sign-In Brute Force Activity"
+name = "Entra ID User Sign-in Brute Force Attempted"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Sign-In Brute Force Activity
+### Investigating Entra ID User Sign-in Brute Force Attempted
 
 This rule detects brute-force authentication activity in Entra ID sign-in logs. It classifies failed sign-in attempts into behavior types such as password spraying, credential stuffing, or password guessing. The classification (`bf_type`) helps prioritize triage and incident response.
 

rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml

@@ -4,7 +4,7 @@ integration = ["azure"]
 maturity = "production"
 min_stack_version = "9.0.0"
 min_stack_comments = "Bug fix in threshold rules."
-updated_date = "2025/12/08"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -24,10 +24,10 @@ index = ["filebeat-*", "logs-azure.signinlogs-*"]
 interval = "30m"
 language = "kuery"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Excessive Account Lockouts Detected"
+name = "Entra ID Excessive Account Lockouts Detected"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Excessive Account Lockouts Detected
+### Investigating Entra ID Excessive Account Lockouts Detected
 
 This rule detects a high number of sign-in failures due to account lockouts (error code `50053`) in Microsoft Entra ID sign-in logs. These lockouts are typically caused by repeated authentication failures, often as a result of brute-force tactics such as password spraying, credential stuffing, or automated guessing. This detection is time-bucketed and aggregates attempts to identify bursts or coordinated campaigns targeting multiple users.
 

…ra_signin_brute_force_microsoft_365.toml …id_signin_brute_force_microsoft_365.tomlrules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml renamed to rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml renamed to rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -23,10 +23,10 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft 365 Brute Force via Entra ID Sign-Ins"
+name = "Entra ID Sign-in Brute Force Attempted (Microsoft 365)"
 note = """## Triage and analysis
 
-### Investigating Microsoft 365 Brute Force via Entra ID Sign-Ins
+### Investigating Entra ID Sign-in Brute Force Attempted (Microsoft 365)
 
 Identifies brute-force authentication activity against Microsoft 365 services using Entra ID sign-in logs. This detection groups and classifies failed sign-in attempts based on behavior indicative of password spraying, credential stuffing, or password guessing. The classification (`bf_type`) is included for immediate triage.
 

…ccess_azure_entra_suspicious_signin.toml …l_access_entra_id_suspicious_signin.tomlrules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml renamed to rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml renamed to rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/28"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/30"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -20,10 +20,10 @@ false_positives = [
 from = "now-60m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties"
+name = "Entra ID Concurrent Sign-in with Suspicious Properties"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties
+### Investigating Entra ID Concurrent Sign-in with Suspicious Properties
 
 ### Possible investigation steps
 

…ure_entra_totp_brute_force_attempts.toml …_entra_id_totp_brute_force_attempts.tomlrules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml renamed to rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml renamed to rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/12/11"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -21,10 +21,10 @@ false_positives = [
 from = "now-9m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID MFA TOTP Brute Force Attempts"
+name = "Entra ID MFA TOTP Brute Force Attempted"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID MFA TOTP Brute Force Attempts
+### Investigating Entra ID MFA TOTP Brute Force Attempted
 
 This rule detects brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. It identifies high-frequency failed TOTP code attempts for a single user in a short time-span with a high number of distinct session IDs. Adversaries may programmatically attempt to brute-force TOTP codes by generating several sessions and attempting to guess the correct code.