Merge branch 'main' into ET_SURIC

Author: Mikaayenson

.github/stale.yml

@@ -12,6 +12,8 @@ onlyLabels: []
 exemptLabels:
   - bug
   - backlog
+  - "Rule: Tuning"
+  - "Rule: New"
 
 # Set to true to ignore issues in a project (defaults to false)
 exemptProjects: false

detection_rules/etc/integration-manifests.json.gz

@@ -2,7 +2,7 @@
 creation_date = "2021/07/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/11/13"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ type = "esql"
 
 query = '''
 from logs-endpoint.*  metadata _id
-| where event.agent_id_status is not null 
+| where event.agent_id_status is not null and agent.id is not null
 | stats Esql.count_distinct_host_ids = count_distinct(host.id), Esql.host_id_values = values(host.id), Esql.user_id_values_user_id = values(user.id) by agent.id
 | where Esql.count_distinct_host_ids >= 2
 | keep Esql.count_distinct_host_ids, Esql.host_id_values, Esql.user_id_values_user_id, agent.id

detection_rules/etc/integration-schemas.json.gz

@@ -2,7 +2,7 @@
 creation_date = "2025/06/30"
 integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/06/30"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -90,7 +90,7 @@ FROM logs-* metadata _id, _version, _index
 // more than 100 spaces in process.command_line
 | eval multi_spaces = LOCATE(process.command_line, space(100)) 
 | where multi_spaces > 0 
-| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable
+| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable, _id, _version, _index
 '''
 
 

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/07"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -78,23 +78,37 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where
+any where process.executable != null and
 
   /* file events for creation; file change events are not captured by some of the included sources for linux and so may
      miss this, which is the purpose of the process + command line args logic below */
   (
-   event.category == "file" and event.type in ("change", "creation") and
+   event.category == "file" and event.type in ("change", "creation") and event.action != "rename" and
      file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") and 
-     not process.name in ("dockerd", "rootlesskit", "podman", "crio")
+     not process.name in ("dockerd", "rootlesskit", "podman", "crio") and
+     not process.executable : ("C:\\Program Files\\Fortinet\\FortiClient\\FCDBLog.exe",
+                               "C:\\Program Files\\Seqrite\\Seqrite\\SCANNER.EXE",
+                               "C:\\Windows\\Temp\\*.ins\\inst.exe",
+                               "C:\\Windows\\System32\\svchost.exe",
+                               "C:\\Program Files\\NordVPN\\nordvpn-service.exe",
+                               "C:\\Program Files\\Tailscale\\tailscaled.exe",
+                               "C:\\Program Files\\Docker\\Docker\\com.docker.service",
+                               "C:\\Program Files\\Quick Heal\\Quick Heal AntiVirus Pro\\scanner.exe",
+                               "C:\\Program Files (x86)\\Quick Heal AntiVirus Pro\\SCANNER.EXE",
+                               "C:\\Program Files\\Quick Heal\\Quick Heal Internet Security\\scanner.exe",
+                               "C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe",
+                               "/opt/IBM/InformationServer/Server/DSEngine/bin/uvsh",
+                               "/usr/local/demisto/server")
   )
   or
 
   /* process events for change targeting linux only */
   (
    event.category == "process" and event.type in ("start") and
      process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and
-     process.args : ("/etc/hosts") and 
-     not process.parent.name in ("dhclient-script", "google_set_hostname")
+     (process.args : ("/etc/hosts") or (process.working_directory == "/etc" and process.args == "hosts")) and 
+     not process.parent.name in ("dhclient-script", "google_set_hostname") and
+     not process.command_line == "sed -i /Added by Google/d /etc/hosts"
   )
 '''
 

rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml

@@ -2,12 +2,12 @@
 creation_date = "2025/04/29"
 integration = ["azure", "o365"]
 maturity = "production"
-updated_date = "2025/07/30"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule correlate Azure or Office 356 mail successful sign-in events with network security alerts by source.ip.
+This rule correlate Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address.
 Adversaries may trigger some network security alerts such as reputation or other anomalies before accessing cloud
 resources.
 """
@@ -19,10 +19,10 @@ false_positives = [
 from = "now-60m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft 365 or Entra ID Sign-in from a Suspicious Source"
+name = "M365 or Entra ID Identity Sign-in from a Suspicious Source"
 note = """## Triage and analysis
 
-### Investigating Microsoft 365 or Entra ID Sign-in from a Suspicious Source
+### Investigating M365 or Entra ID Identity Sign-in from a Suspicious Source
 
 #### Possible investigation steps
 
@@ -82,7 +82,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
 | where @timestamp > now() - 8 hours
 // filter for azure or m365 sign-in and external alerts with source.ip not null
 | where to_ip(source.ip) is not null
-  and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.name == "External Alerts")
+  and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa")
   and not cidr_match(
     to_ip(source.ip),
     "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
@@ -93,13 +93,13 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
   )
 
 // capture relevant raw fields
-| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.name, event.category
+| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.rule_id, event.category
 
 // classify each source ip based on alert type
 | eval
   Esql.source_ip_mail_access_case = case(event.dataset == "o365.audit" and event.action == "MailItemsAccessed" and event.outcome == "success", to_ip(source.ip), null),
   Esql.source_ip_azure_signin_case = case(event.dataset == "azure.signinlogs" and event.outcome == "success", to_ip(source.ip), null),
-  Esql.source_ip_network_alert_case = case(kibana.alert.rule.name == "external alerts" and not event.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null)
+  Esql.source_ip_network_alert_case = case(kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa" and not event.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null)
 
 // aggregate by source ip
 | stats
@@ -109,7 +109,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
     Esql.source_ip_network_alert_case_count_distinct = count_distinct(Esql.source_ip_network_alert_case),
     Esql.event_dataset_count_distinct = count_distinct(event.dataset),
     Esql.event_dataset_values = values(event.dataset),
-    Esql.kibana_alert_rule_name_values = values(kibana.alert.rule.name),
+    Esql.kibana_alert_rule_id_values = values(kibana.alert.rule.rule_id),
     Esql.event_category_values = values(event.category)
   by Esql.source_ip = to_ip(source.ip)
 

rules/cross-platform/impact_hosts_file_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/08"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -101,12 +101,11 @@ process where event.type == "start" and event.action in ("exec", "executed", "st
 )
 and (
   ?process.working_directory : (
-    "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*--experimental-https*", "*app/server*",
-    "*.pnpm/next*", "*/app/*", "*next/dist/server*", "*react-scripts*") or
+    "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*.pnpm/next*", "*next/dist/server*", "*react-scripts*") or
   (
     process.parent.name in ("node", "bun", "node.exe", "bun.exe") and
     process.parent.command_line : (
-      "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*next-server*", "*server.js*", "*bin/next*",
+      "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*next-server*", "* server.js*",  "*start-server.js*", "*bin/next*",
       "*--experimental-https*", "*app/server*", "*.pnpm/next*", "*next start*", "*next dev*", "*react-scripts start*", "*next/dist/server*"
     )
   )

rules/cross-platform/initial_access_azure_o365_with_network_alert.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2025/11/19"
+integration = ["endpoint", "checkpoint_email"]
 maturity = "production"
-updated_date = "2025/11/19"
+updated_date = "2025/12/15"
 
 [rule]
 author = ["Elastic"]
@@ -22,14 +23,15 @@ tags = [
     "Rule Type: Higher-Order Rule",
     "Resources: Investigation Guide",
     "Data Source: Elastic Defend",
+    "Data Source: Check Point Harmony Email & Collaboration",
     "Domain: Email",
     "Domain: Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-from logs-* metadata _id
+from logs-endpoint.alerts-*, logs-checkpoint_email.event-* metadata _id
 // Email or Elastic Defend alerts where user name is populated
 | where
   (event.category == "email" and event.kind == "alert" and destination.user.name is not null) or

rules/cross-platform/initial_access_execution_susp_react_serv_child.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/08/18"
+updated_date = "2025/12/12"
 
 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -97,7 +97,7 @@ type = "new_terms"
 query = '''
 event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and
     event.action: (GetSecretValue or BatchGetSecretValue) and event.outcome:success and
-    not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera")
+    not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera" or "Boto3")
 '''
 
 [rule.investigation_fields]