[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)

* adjusted Potential Widespread Malware Infection Across Multiple Hosts

* adjusted Microsoft Azure or Mail Sign-in from a Suspicious Source

* adjusted AWS EC2 Multi-Region DescribeInstances API Calls

* adjusted AWS Discovery API Calls via CLI from a Single Resource

* adjusted AWS Service Quotas Multi-Region  Requests

* adjusted AWS EC2 EBS Snapshot Shared or Made Public

* adjusted AWS S3 Bucket Enumeration or Brute Force

* adjusted AWS EC2 EBS Snapshot Access Removed

* adjusted Potential AWS S3 Bucket Ransomware Note Uploaded

* adjusted AWS S3 Object Encryption Using External KMS Key

* adjusted AWS S3 Static Site JavaScript File Uploaded

* adjusted AWS Access Token Used from Multiple Addresses

* adjusted AWS Signin Single Factor Console Login with Federated User

* adjusted AWS IAM AdministratorAccess Policy Attached to Group

* adjusted AWS IAM AdministratorAccess Policy Attached to Role

* adjusted AWS IAM AdministratorAccess Policy Attached to User

* adjusted AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session

* adjusted AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session

* adjusted AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request

* adjusted Unusual High Confidence Content Filter Blocks Detected

* adjusted Potential Abuse of Resources by High Token Count and Large Response Sizes

* AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User

* Unusual High Denied Sensitive Information Policy Blocks Detected

* adjusted Unusual High Denied Topic Blocks Detected

* adjusted AWS Bedrock Detected Multiple Validation Exception Errors by a Single User

* adjusted Unusual High Word Policy Blocks Detected

* adjusted Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties

* adjusted Azure Entra MFA TOTP Brute Force Attempts

* adjusted Microsoft Entra ID Sign-In Brute Force Activity

* adjusted Microsoft Entra ID Exccessive Account Lockouts Detected

* adjusted Microsoft 365 Brute Force via Entra ID Sign-Ins

* deprecated Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

* adjusted Microsoft Entra ID Session Reuse with Suspicious Graph Access

* adjusted Suspicious Microsoft OAuth Flow via Auth Broker to DRS

* adjusted Potential Denial of Azure OpenAI ML Service

* adjusted Azure OpenAI Insecure Output Handling

* adjusted Potential Azure OpenAI Model Theft

* adjusted M365 OneDrive Excessive File Downloads with OAuth Token

* adjusted Multiple Microsoft 365 User Account Lockouts in Short Time Window

* adjusted Potential Microsoft 365 User Account Brute Force

* adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code

* adjusted Multiple Device Token Hashes for Single Okta Session

* adjusted Multiple Okta User Authentication Events with Client Address

* adjusted Multiple Okta User Authentication Events with Same Device Token Hash

* adjusted High Number of Okta Device Token Cookies Generated for Authentication

* adjusted Okta User Sessions Started from Different Geolocations

* adjusted High Number of Egress Network Connections from Unusual Executable

* adjusted Unusual Base64 Encoding/Decoding Activity

* adjusted Potential Port Scanning Activity from Compromised Host

* adjusted Potential Subnet Scanning Activity from Compromised Host

* adjusted Unusual File Transfer Utility Launched

* adjusted Potential Malware-Driven SSH Brute Force Attempt

* adjusted Unusual Process Spawned from Web Server Parent

* adjusted Unusual Command Execution from Web Server Parent

* adjusted  Rare Connection to WebDAV Target

* adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences

* adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion

* adjusted Unusual File Creation by Web Server

* adjusted Potential PowerShell Obfuscation via High Special Character Proportion

* adjusted Potential Malicious PowerShell Based on Alert Correlation

* adjusted Potential PowerShell Obfuscation via Character Array Reconstruction

* adjusted Potential PowerShell Obfuscation via String Reordering

* adjusted Potential PowerShell Obfuscation via String Concatenation

* adjusted Potential PowerShell Obfuscation via Reverse Keywords

* adjusted PowerShell Obfuscation via Negative Index String Reversal

* adjusted Dynamic IEX Reconstruction via Method String Access

* adjusted Potential Dynamic IEX Reconstruction via Environment Variables

* adjusted Potential PowerShell Obfuscation via High Numeric Character Proportion

* adjusted Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation

* adjusted Rare Connection to WebDAV Target

* adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences

* adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion

* adjusted Potential PowerShell Obfuscation via Character Array Reconstruction

* adjusted Potential PowerShell Obfuscation via High Special Character Proportion

* adjusted Potential PowerShell Obfuscation via Special Character Overuse

* adjusted Potential PowerShell Obfuscation via String Reordering

* adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code

* adjusted fields that were inconsistent

* adjusted additional fields

* adjusted esql to Esql

* adjusted several rules for common field names

* updating rules

* updated dates

* updated dates

* updated ESQL fields

* lowercase all functions and logical operators

* adjusted dates for unit tests

* Update Esql_priv to Esql_temp as these don't hold PII

* PowerShell adjustments

* Make query comments consistent

* update comment

* reverted 2856446a-34e6-435b-9fb5-f8f040bfa7ed

* Update rules/windows/discovery_command_system_account.toml

* removed dot notation

---------

Co-authored-by: Jonhnathan <[email protected]>

(cherry picked from commit b28338c)

Author: terrancedejesus

…e_force_microsoft_365_repeat_source.toml …e_force_microsoft_365_repeat_source.tomlrules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml renamed to rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml renamed to rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml

@@ -1,8 +1,9 @@
 [metadata]
 creation_date = "2024/09/06"
+deprecation_date = "2025/07/16"
 integration = ["azure"]
-maturity = "production"
-updated_date = "2025/06/06"
+maturity = "deprecated"
+updated_date = "2025/07/16"
 
 [rule]
 author = ["Elastic"]

rules/cross-platform/execution_potential_widespread_malware_infection.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2024/05/08"
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/16"
 
 [rule]
 author = ["Elastic"]
@@ -67,8 +67,8 @@ query = '''
 from logs-endpoint.alerts-*
 | where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null
 | keep host.id, rule.name, event.code
-| stats hosts = count_distinct(host.id) by rule.name, event.code
-| where hosts >= 3
+| stats Esql.host_id_count_distinct = count_distinct(host.id) by rule.name, event.code
+| where Esql.host_id_count_distinct >= 3
 '''
 
 

rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/08/26"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/10"
+updated_date = "2025/07/16"
 
 [rule]
 author = ["Elastic"]
@@ -89,30 +89,35 @@ query = '''
 from logs-aws.cloudtrail-*
 
 // filter for DescribeInstances API calls
-| where event.dataset == "aws.cloudtrail" and event.provider == "ec2.amazonaws.com" and event.action == "DescribeInstances"
+| where event.dataset == "aws.cloudtrail"
+  and event.provider == "ec2.amazonaws.com"
+  and event.action == "DescribeInstances"
 
 // truncate the timestamp to a 30-second window
-| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)
+| eval Esql.time_window_date_trunc = date_trunc(30 seconds, @timestamp)
 
-// keep only the relevant fields
-| keep target_time_window, aws.cloudtrail.user_identity.arn, cloud.region
+// keep only the relevant raw fields
+| keep Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn, cloud.region
 
 // count the number of unique regions and total API calls within the 30-second window
-| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn
+| stats
+    Esql.cloud_region_count_distinct = count_distinct(cloud.region),
+    Esql.event_count = count(*)
+  by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn
 
 // filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
-| where region_count >= 10 and window_count >= 10
+| where Esql.cloud_region_count_distinct >= 10 and Esql.event_count >= 10
 
-// sort the results by time windows in descending order
-| sort target_time_window desc
+// sort the results by time window in descending order
+| sort Esql.time_window_date_trunc desc
 '''
 
 [rule.investigation_fields]
 field_names = [
-    "aws.cloudtrail.user_identity.arn",
-    "target_time_window",
-    "region_count",
-    "window_count"
+  "aws.cloudtrail.user_identity.arn",
+  "target_time_window",
+  "region_count",
+  "window_count"
 ]
 
 [[rule.threat]]

rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/16"
 
 [rule]
 author = ["Elastic"]
@@ -83,11 +83,11 @@ query = '''
 from logs-aws.cloudtrail*
 
 // create time window buckets of 10 seconds
-| eval time_window = date_trunc(10 seconds, @timestamp)
+| eval Esql.time_window_date_trunc = date_trunc(10 seconds, @timestamp)
 | where
     event.dataset == "aws.cloudtrail"
 
-    // filter on CloudTrail audit logs for IAM, EC2, and S3 events only
+    // filter on CloudTrail audit logs for IAM, EC2, S3, etc.
     and event.provider in (
       "iam.amazonaws.com",
       "ec2.amazonaws.com",
@@ -97,8 +97,7 @@ from logs-aws.cloudtrail*
       "dynamodb.amazonaws.com",
       "kms.amazonaws.com",
       "cloudfront.amazonaws.com",
-      "elasticloadbalancing.amazonaws.com",
-      "cloudfront.amazonaws.com"
+      "elasticloadbalancing.amazonaws.com"
     )
 
     // ignore AWS service actions
@@ -117,19 +116,24 @@ from logs-aws.cloudtrail*
     starts_with(event.action, "List"),
     starts_with(event.action, "Generate")
 )
+
 // extract owner, identity type, and actor from the ARN
-| dissect aws.cloudtrail.user_identity.arn "%{}::%{owner}:%{identity_type}/%{actor}"
-| where starts_with(actor, "AWSServiceRoleForConfig") != true
-| keep @timestamp, time_window, event.action, aws.cloudtrail.user_identity.arn
+| dissect aws.cloudtrail.user_identity.arn "%{}::%{Esql_priv.aws_cloudtrail_user_identity_arn_owner}:%{Esql.aws_cloudtrail_user_identity_arn_type}/%{Esql.aws_cloudtrail_user_identity_arn_roles}"
+| where starts_with(Esql.aws_cloudtrail_user_identity_arn_roles, "AWSServiceRoleForConfig") != true
+
+// keep relevant fields (preserving ECS fields and computed time window)
+| keep @timestamp, Esql.time_window_date_trunc, event.action, aws.cloudtrail.user_identity.arn
+
+// count the number of unique API calls per time window and actor
 | stats
-    // count the number of unique API calls per time window and actor
-    unique_api_count = count_distinct(event.action) by time_window, aws.cloudtrail.user_identity.arn
+    Esql.event_action_count_distinct = count_distinct(event.action)
+  by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn
 
-// filter for more than 5 unique API calls per time window
-| where unique_api_count > 5
+// filter for more than 5 unique API calls per 10s window
+| where Esql.event_action_count_distinct > 5
 
 // sort the results by the number of unique API calls in descending order
-| sort unique_api_count desc
+| sort Esql.event_action_count_distinct desc
 '''
 
 

rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2024/08/26"
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/07/16"
 
 [rule]
 author = ["Elastic"]
@@ -15,52 +15,6 @@ from = "now-9m"
 language = "esql"
 license = "Elastic License v2"
 name = "AWS Service Quotas Multi-Region `GetServiceQuota` Requests"
-references = [
-    "https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/",
-    "https://docs.aws.amazon.com/servicequotas/2019-06-24/apireference/API_GetServiceQuota.html",
-]
-risk_score = 21
-rule_id = "19be0164-63d2-11ef-8e38-f661ea17fbce"
-severity = "low"
-tags = [
-    "Domain: Cloud",
-    "Data Source: AWS",
-    "Data Source: Amazon Web Services",
-    "Data Source: AWS Service Quotas",
-    "Use Case: Threat Detection",
-    "Tactic: Discovery",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "esql"
-
-query = '''
-from logs-aws.cloudtrail-*
-
-// filter for GetServiceQuota API calls
-| where event.dataset == "aws.cloudtrail" and event.provider == "servicequotas.amazonaws.com" and event.action == "GetServiceQuota"
-
-// truncate the timestamp to a 30-second window
-| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)
-
-// pre-process the request parameters to extract the service code and quota code
-| dissect aws.cloudtrail.request_parameters "{%{?service_code_key}=%{service_code}, %{?quota_code_key}=%{quota_code}}"
-
-// filter for EC2 service quota L-1216C47A (vCPU on-demand instances)
-| where service_code == "ec2" and quota_code == "L-1216C47A"
-
-// keep only the relevant fields
-| keep target_time_window, aws.cloudtrail.user_identity.arn, cloud.region, service_code, quota_code
-
-// count the number of unique regions and total API calls within the 30-second window
-| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn
-
-// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
-| where region_count >= 10 and window_count >= 10
-
-// sort the results by time windows in descending order
-| sort target_time_window desc
-'''
 note = """## Triage and analysis
 
 > **Disclaimer**:
@@ -95,6 +49,66 @@ AWS Service Quotas manage resource limits across AWS services, crucial for maint
 - Notify the security operations team and relevant stakeholders about the potential compromise and the steps being taken to remediate the issue.
 - If evidence of compromise is confirmed, consider engaging AWS Support or a third-party incident response team for further investigation and assistance.
 - Review and update IAM policies and permissions to ensure the principle of least privilege is enforced, reducing the risk of future unauthorized access attempts."""
+references = [
+    "https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/",
+    "https://docs.aws.amazon.com/servicequotas/2019-06-24/apireference/API_GetServiceQuota.html",
+]
+risk_score = 21
+rule_id = "19be0164-63d2-11ef-8e38-f661ea17fbce"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS Service Quotas",
+    "Use Case: Threat Detection",
+    "Tactic: Discovery",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws.cloudtrail-*
+
+// filter for GetServiceQuota API calls
+| where
+  event.dataset == "aws.cloudtrail"
+  and event.provider == "servicequotas.amazonaws.com"
+  and event.action == "GetServiceQuota"
+
+// truncate the timestamp to a 30-second window
+| eval Esql.time_window_date_trunc = date_trunc(30 seconds, @timestamp)
+
+// dissect request parameters to extract service and quota code
+| dissect aws.cloudtrail.request_parameters "{%{?Esql.aws_cloudtrail_request_parameters_service_code_key}=%{Esql.aws_cloudtrail_request_parameters_service_code}, %{?quota_code_key}=%{Esql.aws_cloudtrail_request_parameters_quota_code}}"
+
+// filter for EC2 service quota L-1216C47A (vCPU on-demand instances)
+| where Esql.aws_cloudtrail_request_parameters_service_code == "ec2" and Esql.aws_cloudtrail_request_parameters_quota_code == "L-1216C47A"
+
+// keep only the relevant fields
+| keep
+    Esql.time_window_date_trunc,
+    aws.cloudtrail.user_identity.arn,
+    cloud.region,
+    Esql.aws_cloudtrail_request_parameters_service_code,
+    Esql.aws_cloudtrail_request_parameters_quota_code
+
+// count the number of unique regions and total API calls within the time window
+| stats
+    Esql.cloud_region_count_distinct = count_distinct(cloud.region),
+    Esql.event_count = count(*)
+  by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn
+
+// filter for API calls in more than 10 regions within the 30-second window
+| where
+  Esql.cloud_region_count_distinct >= 10
+  and Esql.event_count >= 10
+
+// sort by time window descending
+| sort Esql.time_window_date_trunc desc
+'''
+
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"

rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/04/16"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/06/02"
+updated_date = "2025/07/16"
 
 [rule]
 author = ["Elastic"]
@@ -21,8 +21,7 @@ interval = "5m"
 language = "esql"
 license = "Elastic License v2"
 name = "AWS EC2 EBS Snapshot Shared or Made Public"
-note = """
-## Triage and analysis
+note = """## Triage and analysis
 
 ### Investigating AWS EC2 EBS Snapshot Shared or Made Public
 
@@ -81,10 +80,31 @@ type = "esql"
 
 query = '''
 from logs-aws.cloudtrail-* metadata _id, _version, _index
-| where event.provider == "ec2.amazonaws.com" and event.action == "ModifySnapshotAttribute" and event.outcome == "success"
-| dissect aws.cloudtrail.request_parameters "{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}"
-| where operationType == "add" and cloud.account.id != userId
-| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId, source.address
+| where
+  event.provider == "ec2.amazonaws.com"
+  and event.action == "ModifySnapshotAttribute"
+  and event.outcome == "success"
+
+// Extract snapshotId, attribute type, operation type, and userId
+| dissect aws.cloudtrail.request_parameters
+  "{%{?snapshotId}=%{Esql.aws_cloudtrail_request_parameters_snapshot_id},%{?attributeType}=%{Esql.aws_cloudtrail_request_parameters_attribute_type},%{?createVolumePermission}={%{Esql.aws_cloudtrail_request_parameters_operation_type}={%{?items}=[{%{?userId}=%{Esql_priv.aws_cloudtrail_request_parameters_user_id}}]}}}"
+
+// Check for snapshot permission added for another AWS account
+| where
+  Esql.aws_cloudtrail_request_parameters_operation_type == "add"
+  and cloud.account.id != Esql_priv.aws_cloudtrail_request_parameters_user_id
+
+// keep ECS and derived fields
+| keep
+  @timestamp,
+  aws.cloudtrail.user_identity.arn,
+  cloud.account.id,
+  event.action,
+  Esql.aws_cloudtrail_request_parameters_snapshot_id,
+  Esql.aws_cloudtrail_request_parameters_attribute_type,
+  Esql.aws_cloudtrail_request_parameters_operation_type,
+  Esql_priv.aws_cloudtrail_request_parameters_user_id,
+  source.ip
 '''
 
 

rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2024/05/01"
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/16"
 
 [rule]
 author = ["Elastic"]
@@ -86,13 +86,29 @@ type = "esql"
 
 query = '''
 from logs-aws.cloudtrail*
-| where event.provider == "s3.amazonaws.com" and aws.cloudtrail.error_code == "AccessDenied"
-// keep only relevant fields
-| keep tls.client.server_name, source.address, cloud.account.id
-| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id
-  // can modify the failed request count or tweak time window to fit environment
-  // can add `not cloud.account.id in (KNOWN)` or specify in exceptions
-| where failed_requests > 40
+
+| where
+  event.provider == "s3.amazonaws.com"
+  and aws.cloudtrail.error_code == "AccessDenied"
+  and tls.client.server_name is not null
+  and cloud.account.id is not null
+
+// keep only relevant ECS fields
+| keep
+  tls.client.server_name,
+  source.address,
+  cloud.account.id
+
+// count access denied requests per server_name, source, and account
+| stats
+    Esql.event_count = count(*)
+  by
+    tls.client.server_name,
+    source.address,
+    cloud.account.id
+
+// Threshold: more than 40 denied requests
+| where Esql.event_count > 40
 '''