[Rule Tuning] Beats & Endgame Indices (#5072)

Mikaayenson · tradebot-elastic · commit 400d24c53ac7 · 2025-09-09T18:23:46.000Z
(cherry picked from commit 392e025)
diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: actor.entity.id and target.entity.id"
 min_stack_version = "8.16.5"
-updated_date = "2025/07/10"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     """,
 ]
 from = "now-6m"
-index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+index = ["logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS IAM Customer-Managed Policy Attached to Role by Rare User"
diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/06"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ object ID. This is a New Terms rule that only signals if the application ID and
 seen doing this activity in the last 14 days.
 """
 from = "now-9m"
-index = ["filebeat-*", "logs-azure.graphactivitylogs-*"]
+index = ["logs-azure.graphactivitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Suspicious Email Access by First-Party Application via Microsoft Graph"
diff --git a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml
@@ -3,7 +3,7 @@ creation_date = "2025/04/29"
 integration = ["azure"]
 maturity = "production"
 promotion = true
-updated_date = "2025/05/02"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["filebeat-*", "logs-azure.identity_protection-*"]
+index = ["logs-azure.identity_protection-*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml
@@ -3,7 +3,7 @@ creation_date = "2025/06/02"
 integration = ["azure"]
 maturity = "production"
 promotion = true
-updated_date = "2025/06/02"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["filebeat-*", "logs-azure.identity_protection-*"]
+index = ["logs-azure.identity_protection-*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
diff --git a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml
@@ -2,15 +2,15 @@
 creation_date = "2025/05/21"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/21"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic", "Willem D'Haese"]
 description = """
 Identifies suspicious activity reported by users in Microsoft Entra ID where users have reported suspicious activity related to their accounts, which may indicate potential compromise or unauthorized access attempts. Reported suspicious activity typically occurs during the authentication process and may involve various authentication methods, such as password resets, account recovery, or multi-factor authentication challenges. Adversaries may attempt to exploit user accounts by leveraging social engineering techniques or other methods to gain unauthorized access to sensitive information or resources.
 """
 from = "now-9m"
-index = ["filebeat-*", "logs-azure.auditlogs-*"]
+index = ["logs-azure.auditlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Microsoft Entra ID User Reported Suspicious Activity"
diff --git a/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/09/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/03/24"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ accomplished by tricking a user into granting consent to the application, typica
 establishes an OAuth grant that allows the malicious client applocation to access resources on-behalf-of the user.
 """
 from = "now-9m"
-index = ["filebeat-*", "logs-azure*"]
+index = ["logs-azure*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Microsoft Entra ID Illicit Consent Grant via Registered Application"
diff --git a/rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml b/rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/30"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/04/30"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ sign-ins, or other risk detections. Multiple alerts in a short time frame may in
 account.
 """
 from = "now-9m"
-index = ["filebeat-*", "logs-azure.identity_protection-*"]
+index = ["logs-azure.identity_protection-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Multiple Microsoft Entra ID Protection Alerts by User Principal"
diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/23"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/19"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["filebeat-*", "logs-azure.graphactivitylogs-*"]
+index = ["logs-azure.graphactivitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Microsoft Graph First Occurrence of Client Request"
diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/20"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/08/29"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies when multi-factor authentication (MFA) is disabled for an Entra ID us
 for a user account in order to weaken the authentication requirements for the account.
 """
 from = "now-9m"
-index = ["filebeat-*", "logs-azure.auditlogs-*"]
+index = ["logs-azure.auditlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Entra ID MFA Disabled for User"
diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/04"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-15m"
-index = ["filebeat-*", "logs-o365.audit-*"]
+index = ["logs-o365.audit-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "M365 Portal Login (Atypical Travel)"
diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/04"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
     """,
 ]
 from = "now-15m"
-index = ["filebeat-*", "logs-o365.audit-*"]
+index = ["logs-o365.audit-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "M365 Portal Login (Impossible Travel)"
diff --git a/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml b/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/23"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/04/30"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ rule may help identify unauthorized use of the VS Code OAuth flow as part of soc
 activity.
 """
 from = "now-25m"
-index = ["filebeat-*", "logs-o365.audit-*"]
+index = ["logs-o365.audit-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Microsoft 365 OAuth Phishing via Visual Studio Code Client"
diff --git a/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/03/24"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/03/24"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ via a pre-made phishing URL. This establishes an OAuth grant that allows the mal
 resources in Microsoft 365 on-behalf-of the user.
 """
 from = "now-9m"
-index = ["filebeat-*", "logs-o365**"]
+index = ["logs-o365**"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Microsoft 365 Illicit Consent Grant via Registered Application"
diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/01/06"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/05/21"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ Skype for Business Online. Adversaries can add users as Global Administrators to
 subscriptions and their settings and resources.
 """
 from = "now-9m"
-index = ["filebeat-*", "logs-o365.audit-*"]
+index = ["logs-o365.audit-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Microsoft 365 Global Administrator Role Assigned"
diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/11/10"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
     "Shared systems such as Kiosks and conference room computers may be used by multiple users.",
 ]
 from = "now-9m"
-index = ["filebeat-*", "logs-okta*"]
+index = ["logs-okta*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy"
diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml
@@ -2,13 +2,13 @@
 creation_date = "2023/11/06"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
 description = "Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP)."
 from = "now-30m"
-index = ["filebeat-*", "logs-okta*"]
+index = ["logs-okta*"]
 interval = "15m"
 language = "kuery"
 license = "Elastic License v2"
diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/20"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/08/15"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-12h"
-index = ["filebeat-*", "logs-okta.system*"]
+index = ["logs-okta.system*"]
 interval = "6h"
 language = "eql"
 license = "Elastic License v2"
@@ -35,7 +35,7 @@ This rule fires when an Okta user account has MFA deactivated and no subsequent
 
 - Identify the entity related to the alert by reviewing `okta.target.alternate_id`, `okta.target.id` or `user.target.full_name` fields. This should give the username of the account being targeted. Verify if MFA is deactivated for the target entity.
 - Using the `okta.target.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`. Note if MFA re-activation attempts were made against the target.
-- Identify the actor performing the deactivation by reviewing `okta.actor.alternate_id`, `okta.actor.id` or `user.full_name` fields. This should give the username of the account performing the action. Determine if deactivation was performed by a separate user. 
+- Identify the actor performing the deactivation by reviewing `okta.actor.alternate_id`, `okta.actor.id` or `user.full_name` fields. This should give the username of the account performing the action. Determine if deactivation was performed by a separate user.
 - Review events where `okta.event_type` is `user.authenticate*` to determine if the actor or target accounts had suspicious login activity.
     - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.
 - Examine related administrative activity by the actor for privilege misuse or suspicious changes.
diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ probability of it being malicious activity. Alternatively, the model's blocklist
 malicious.
 """
 from = "now-10m"
-index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"]
+index = ["logs-endpoint.events.process-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score"
diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ probability of it being malicious activity. Alternatively, the model's blocklist
 malicious.
 """
 from = "now-10m"
-index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"]
+index = ["logs-endpoint.events.process-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score"
diff --git a/rules/linux/initial_access_first_time_public_key_authentication.toml b/rules/linux/initial_access_first_time_public_key_authentication.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/02/21"
 integration = ["system"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/09/09"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-system.auth-*", "filebeat-*"]
+index = ["logs-system.auth-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Successful SSH Authentication from Unusual SSH Public Key"
