Merge branch 'main' into new-rule-potential-rfi

Author: Aegrah

detection_rules/config.py

@@ -227,7 +227,7 @@ def parse_rules_config(path: Path | None = None) -> RulesConfig:  # noqa: PLR091
             raise ValueError(f"rules config file does not exist: {path}")
         loaded = yaml.safe_load(path.read_text())
     elif CUSTOM_RULES_DIR:
-        path = Path(CUSTOM_RULES_DIR) / "_config.yaml"
+        path = Path(CUSTOM_RULES_DIR).expanduser() / "_config.yaml"
         if not path.exists():
             raise FileNotFoundError(
                 """

detection_rules/etc/non-ecs-schema.json

@@ -145,7 +145,7 @@
     "kibana.alert.rule.threat.tactic.id": "keyword",
     "kibana.alert.workflow_status": "keyword",
     "kibana.alert.rule.rule_id": "keyword",
-    "kibana.alert.rule.name": "keyword", 
+    "kibana.alert.rule.name": "keyword",
     "kibana.alert.risk_score": "long",
     "kibana.alert.rule.type": "keyword",
     "kibana.alert.rule.threat.tactic.name": "keyword"
@@ -237,7 +237,8 @@
      "o365.audit.ExtendedProperties.ResultStatusDetail": "keyword",
      "o365.audit.OperationProperties.Name": "keyword",
      "o365.audit.OperationProperties.Value": "keyword",
-     "o365.audit.OperationCount": "long"
+     "o365.audit.OperationCount": "long",
+     "o365.audit.AppAccessContext.AADSessionId": "keyword"
   },
   "logs-okta*": {
     "okta.debug_context.debug_data.flattened.requestedScopes": "keyword",

detection_rules/schemas/definitions.py

@@ -76,7 +76,9 @@ def validator_wrapper(value: Any) -> Any:
 CONDITION_VERSION_PATTERN = re.compile(rf"^\^{_version}$")
 VERSION_PATTERN = f"^{_version}$"
 MINOR_SEMVER = re.compile(r"^\d+\.\d+$")
-FROM_SOURCES_REGEX = re.compile(r"^\s*FROM\s+(?P<sources>.+?)\s*(?:\||\bmetadata\b|//|$)", re.IGNORECASE | re.MULTILINE)
+FROM_SOURCES_REGEX = re.compile(
+    r"^\s*FROM\s+(?P<sources>(?:.+?(?:,\s*)?\n?)+?)\s*(?:\||\bmetadata\b|//|$)", re.IGNORECASE | re.MULTILINE
+)
 BRANCH_PATTERN = f"{VERSION_PATTERN}|^master$"
 ELASTICSEARCH_EQL_FEATURES = {
     "allow_negation": (Version.parse("8.9.0"), None),

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.17"
+version = "1.5.19"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

@@ -0,0 +1,198 @@
+[metadata]
+creation_date = "2025/12/01"
+integration = ["aws", "gcp", "azure"]
+maturity = "production"
+updated_date = "2025/12/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects authenticated sessions accessing secret stores across multiple cloud providers from the same source
+address within a short period of time. Adversaries with access to compromised credentials or session tokens may attempt
+to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault in rapid
+succession to expand their access or exfiltrate sensitive information.
+"""
+from = "now-9m"
+interval = "5m"
+language = "esql"
+license = "Elastic License v2"
+name = "Multiple Cloud Secrets Accessed by Source Address"
+note = """## Triage and analysis
+
+### Multiple Cloud Secrets Accessed by Source Address
+
+This alert identifies a single source IP address accessing secret-management APIs across **multiple cloud providers**
+(e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault) within a short timeframe.
+This behavior is strongly associated with **credential theft, session hijacking, or token replay**, where an adversary
+uses stolen authenticated sessions to harvest secrets across cloud environments.
+
+Unexpected cross-cloud secret retrieval is uncommon and typically indicates automation misuse or malicious activity.
+
+### Possible investigation steps
+
+- Validate the principal
+  - Identify the user, service account, workload identity, or application making the requests.
+  - Confirm whether this identity is expected to operate across more than one cloud provider.
+- Review related activity
+  - Look for additional alerts involving the same identity, source IP, or token over the last 24–48 hours.
+  - Identify whether the source IP has been observed performing unusual authentication, privilege escalation,
+    or reconnaissance.
+- Check application or service context
+  - Determine whether any workload legitimately pulls secrets from multiple cloud providers.
+  - Review deployment pipelines or integration layers that might legitimately bridge AWS, Azure, and GCP.
+- Analyze user agent and invocation patterns
+  - Compare `user_agent.original` or equivalent fields against expected SDKs or automation tools.
+  - Suspicious indicators include CLI tools, unknown libraries, browser user agents, or custom scripts.
+- Inspect IP reputation and origin
+  - Determine whether the source IP corresponds to a managed workload (EC2, GCE, Azure VM) or an unexpected host.
+  - Validate that the associated instance or host is under your control and behaving normally.
+- Review IAM permissions and accessed secrets
+  - Check the policies attached to the identity.
+  - Verify whether the accessed secrets are sensitive, unused, or unrelated to the identity’s purpose.
+- Assess potential compromise scope
+  - If compromise is suspected, enumerate other assets accessed by the same identity in the last 24 hours.
+  - Look for lateral movement, privilege escalation, or abnormal API usage.
+
+### False positive analysis
+
+- Validate whether the source IP is associated with a legitimate multi-cloud orchestration tool, automation pipeline,
+  or shared CI/CD system.
+- Confirm that the identity is authorized to access secrets across multiple cloud services.
+- If activity is expected, consider adding exceptions that pair account identity, source IP, and expected user agent
+  to reduce noise.
+
+### Response and remediation
+
+- Initiate incident response** if the activity is unauthorized or suspicious.
+- Restrict or disable** the affected credentials or service accounts.
+- Rotate all accessed secrets** and review other secrets the identity can access.
+- Analyze systems** that may have leaked credentials, such as compromised hosts or exposed tokens.
+- Harden identity security:
+  - Enforce MFA for users where applicable.
+  - Reduce permissions to least privilege.
+  - Review trust relationships, workload identities, and cross-cloud integrations.
+- Search for persistence mechanisms** such as newly created keys, roles, or service accounts.
+- Improve monitoring and audit visibility** by ensuring logging is enabled across all cloud environments.
+- Determine root cause** (phishing, malware, token replay, exposed credential, etc.) and close the vector to prevent recurrence.
+"""
+references = [
+    "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
+    "https://docs.cloud.google.com/secret-manager/docs/samples/secretmanager-access-secret-version",
+    "https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets",
+    "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
+]
+risk_score = 73
+rule_id = "472b4944-d810-43cf-83dc-7d080ae1b8dd"
+setup = """
+This multi-datasource rule relies on additional configurations from each hyperscaler.
+
+- GCP Audit: [Enable DATA_READ for the Secret Manager API service](https://docs.cloud.google.com/logging/docs/audit/configure-data-access)
+- Azure: [Enable Diagnostic Logging for the Key Vault Service](https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging?tabs=azure-cli)
+- AWS: Secrets Manager read access is automatically logged by CloudTrail.
+"""
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Domain: IAM",
+    "Domain: Storage",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS Secrets Manager",
+    "Data Source: Azure",
+    "Data Source: Azure Activity Logs",
+    "Data Source: GCP",
+    "Data Source: Google Cloud Platform",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-* METADATA _id, _version, _index
+| WHERE 
+  ( 
+    /* AWS Secrets Manager */ 
+    (event.dataset == "aws.cloudtrail" AND event.provider == "secretsmanager.amazonaws.com" AND event.action == "GetSecretValue") OR 
+    // Azure Key Vault (platform logs)
+    (event.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or 
+    /* Azure Key Vault (activity logs) */ 
+    (event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name IN ("MICROSOFT.KEYVAULT/VAULTS/SECRETS/LIST", "MICROSOFT.KEYVAULT/VAULTS/SECRETS/GET")) OR 
+    /* Azure Managed HSM secret */ 
+    (event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/managedHSM/keys/*") OR 
+    /* Google Secret Manager */ 
+    (event.dataset IN ("googlecloud.audit", "gcp.audit") AND 
+     event.action IN ("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest"))
+   ) AND source.ip IS NOT NULL
+// Unified user identity (raw)
+| EVAL Esql_priv.user_id =
+    COALESCE(
+      client.user.id,
+      aws.cloudtrail.user_identity.arn,
+      azure.platformlogs.identity.claim.upn,
+      NULL
+    )
+// Cloud vendor label based on dataset
+| EVAL Esql.cloud_vendor = CASE(
+    event.dataset == "aws.cloudtrail", "aws",
+    event.dataset IN ("azure.platformlogs","azure.activitylogs"), "azure",
+    event.dataset IN ("googlecloud.audit","gcp.audit"), "gcp",
+    "unknown"
+  )
+// Vendor+tenant label, e.g. aws:123456789012, azure:tenant, gcp:project
+| EVAL Esql.tenant_label = CASE(
+    Esql.cloud_vendor == "aws", CONCAT("aws:", cloud.account.id),
+    Esql.cloud_vendor == "azure", CONCAT("azure:", cloud.account.id),
+    Esql.cloud_vendor == "gcp", CONCAT("gcp:", cloud.account.id),
+    NULL
+  )
+| STATS
+    // Core counts
+    Esql.events_count = COUNT(*),
+    Esql.vendor_count_distinct = COUNT_DISTINCT(Esql.cloud_vendor),
+    // Action & data source context
+    Esql.event_action_values = VALUES(event.action),
+    Esql.data_source_values = VALUES(event.dataset),
+    // Cloud vendor + tenant context
+    Esql.cloud_vendor_values = VALUES(Esql.cloud_vendor),
+    Esql.tenant_label_values = VALUES(Esql.tenant_label),
+    // Hyperscaler-specific IDs
+    Esql.aws_account_id_values = VALUES(CASE(Esql.cloud_vendor == "aws", cloud.account.id, NULL)),
+    Esql.azure_tenant_id_values = VALUES(CASE(Esql.cloud_vendor == "azure", cloud.account.id, NULL)),
+    Esql.gcp_project_id_values = VALUES(CASE(Esql.cloud_vendor == "gcp", cloud.account.id, NULL)),
+    // Generic cloud metadata
+    Esql.cloud_region_values = VALUES(cloud.region),
+    Esql.cloud_service_name_values = VALUES(cloud.service.name),
+    // Identity (privileged)
+    Esql_priv.user_values = VALUES(Esql_priv.user_id),
+    Esql_priv.client_user_id_values = VALUES(client.user.id),
+    Esql_priv.aws_user_identity_arn_values = VALUES(aws.cloudtrail.user_identity.arn),
+    Esql_priv.azure_upn_values = VALUES(azure.platformlogs.identity.claim.upn),
+    // Namespace values
+    Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
+  BY source.ip
+// Require multi-vendor cred-access from same source IP
+| WHERE Esql.vendor_count_distinct >= 2
+| SORT Esql.events_count DESC
+| KEEP Esql.*, Esql_priv.*, source.ip
+'''
+
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+[[rule.threat.technique.subtechnique]]
+id = "T1555.006"
+name = "Cloud Secrets Management Stores"
+reference = "https://attack.mitre.org/techniques/T1555/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"

rules/cross-platform/defense_evasion_potential_http_downgrade_attack.toml

@@ -0,0 +1,67 @@
+[metadata]
+creation_date = "2025/11/27"
+integration = ["nginx", "apache", "apache_tomcat"]
+maturity = "production"
+updated_date = "2025/11/27"
+
+[rule]
+author = ["Elastic"]
+description = """
+Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying
+HTTP traffic that uses a different HTTP version than the one typically used in the environment. An
+HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, 
+resulting in potentially less secure communication. For example, an attacker might downgrade a
+connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in
+the older protocol versions.
+"""
+from = "now-9m"
+index = [
+        "logs-nginx.access-*",
+        "logs-apache.access-*",
+        "logs-apache_tomcat.access-*",
+]
+language = "kuery"
+license = "Elastic License v2"
+name = "Potential HTTP Downgrade Attack"
+risk_score = 21
+rule_id = "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e"
+severity = "low"
+tags = [
+    "Domain: Web",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: Nginx",
+    "Data Source: Apache",
+    "Data Source: Apache Tomcat",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+http.version:*
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1562.010"
+name = "Downgrade Attack"
+reference = "https://attack.mitre.org/techniques/T1562/010/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["http.version", "agent.id"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"