Merge branch 'main' into renovate_updates

Author: shashank-elastic

detection_rules/etc/non-ecs-schema.json

@@ -202,7 +202,8 @@
     "azure.activitylogs.properties.resourceDisplayName": "keyword",
     "azure.activitylogs.properties.appDisplayName": "keyword",
     "azure.activitylogs.properties.requestbody.properties.roleDefinitionId": "keyword",
-    "azure.activitylogs.properties.responseBody": "keyword"
+    "azure.activitylogs.properties.responseBody": "keyword",
+    "azure.activitylogs.properties.status_code": "keyword"
   },
   "logs-azure.graphactivitylogs-*": {
     "azure.graphactivitylogs.properties.c_idtyp": "keyword",

detection_rules/index_mappings.py

@@ -160,25 +160,33 @@ def get_simulated_index_template_mappings(elastic_client: Elasticsearch, name: s
 
 
 def prune_mappings_of_unsupported_types(
-    integration: str, stream: str, stream_mappings: dict[str, Any], log: Callable[[str], None]
+    debug_str_data_source: str, stream_mappings: dict[str, Any], log: Callable[[str], None]
 ) -> dict[str, Any]:
     """Prune fields with unsupported types (ES|QL) from the provided mappings."""
     nested_multifields = find_nested_multifields(stream_mappings)
     for field in nested_multifields:
-        field_name = str(field).split(".fields.")[0].replace(".", ".properties.") + ".fields"
+        parts = str(field).split(".fields.")[0].split(".")
+        base_name = ".properties.".join(parts)
+        field_name = f"{base_name}.fields"
         log(
-            f"Warning: Nested multi-field `{field}` found in `{integration}-{stream}`. "
+            f"Warning: Nested multi-field `{field}` found in `{debug_str_data_source}`. "
             f"Removing parent field from schema for ES|QL validation."
         )
         delete_nested_key_from_dict(stream_mappings, field_name)
     nested_flattened_fields = find_flattened_fields_with_subfields(stream_mappings)
     for field in nested_flattened_fields:
-        field_name = str(field).split(".fields.")[0].replace(".", ".properties.") + ".fields"
+        # Remove both .fields and .properties entries for flattened fields
+        # .properties entries can occur when being merged with non-ecs or custom schemas
+        parts = str(field).split(".fields.")[0].split(".")
+        base_name = ".properties.".join(parts)
+        field_name = f"{base_name}.fields"
+        property_name = f"{base_name}.properties"
         log(
-            f"Warning: flattened field `{field}` found in `{integration}-{stream}` with sub fields. "
+            f"Warning: flattened field `{field}` found in `{debug_str_data_source}` with sub fields. "
             f"Removing parent field from schema for ES|QL validation."
         )
         delete_nested_key_from_dict(stream_mappings, field_name)
+        delete_nested_key_from_dict(stream_mappings, property_name)
     return stream_mappings
 
 
@@ -222,7 +230,7 @@ def prepare_integration_mappings(  # noqa: PLR0913
         for stream in package_schema:
             flat_schema = package_schema[stream]
             stream_mappings = flat_schema_to_index_mapping(flat_schema)
-            stream_mappings = prune_mappings_of_unsupported_types(integration, stream, stream_mappings, log)
+            stream_mappings = prune_mappings_of_unsupported_types(f"{integration}-{stream}", stream_mappings, log)
             utils.combine_dicts(integration_mappings, deepcopy(stream_mappings))
             index_lookup[f"{integration}-{stream}"] = stream_mappings
 
@@ -246,12 +254,13 @@ def get_index_to_package_lookup(indices: list[str], index_lookup: dict[str, Any]
     return index_lookup_indices
 
 
-def get_filtered_index_schema(
+def get_filtered_index_schema(  # noqa: PLR0913
     indices: list[str],
     index_lookup: dict[str, Any],
     ecs_schema: dict[str, Any],
     non_ecs_mapping: dict[str, Any],
     custom_mapping: dict[str, Any],
+    log: Callable[[str], None],
 ) -> tuple[dict[str, Any], dict[str, Any]]:
     """Check if the provided indices are known based on the integration format. Returns the combined schema."""
 
@@ -304,7 +313,7 @@ def get_filtered_index_schema(
         # Need to use a merge here to not overwrite existing fields
         utils.combine_dicts(base, deepcopy(non_ecs_mapping.get(match, {})))
         utils.combine_dicts(base, deepcopy(custom_mapping.get(match, {})))
-        filtered_index_lookup[match] = base
+        filtered_index_lookup[match] = prune_mappings_of_unsupported_types(match, base, log)
         utils.combine_dicts(combined_mappings, deepcopy(base))
 
     # Reduce the index lookup to only the matched indices (remote/Kibana schema validation source of truth)
@@ -403,7 +412,7 @@ def find_nested_multifields(mapping: dict[str, Any], path: str = "") -> list[Any
 
 
 def find_flattened_fields_with_subfields(mapping: dict[str, Any], path: str = "") -> list[str]:
-    """Recursively search for fields of type 'flattened' that have a 'fields' key in Elasticsearch mappings."""
+    """Recursively search for type 'flattened' that have a 'fields' or 'properties' key in Elasticsearch mappings."""
     flattened_fields_with_subfields: list[str] = []
 
     for field, properties in mapping.items():
@@ -413,6 +422,9 @@ def find_flattened_fields_with_subfields(mapping: dict[str, Any], path: str = ""
             # Check if the field is of type 'flattened' and has a 'fields' key
             if properties.get("type") == "flattened" and "fields" in properties:  # type: ignore[reportUnknownVariableType]
                 flattened_fields_with_subfields.append(current_path)  # type: ignore[reportUnknownVariableType]
+            # Check if the field is of type 'flattened' and has a 'properties' key
+            if properties.get("type") == "flattened" and "properties" in properties:  # type: ignore[reportUnknownVariableType]
+                flattened_fields_with_subfields.append(current_path)  # type: ignore[reportUnknownVariableType]
 
             # Recurse into subfields
             if "properties" in properties:
@@ -487,8 +499,7 @@ def prepare_mappings(  # noqa: PLR0913
     # and also at a per index level as custom schemas can override non-ecs fields and/or indices
     non_ecs_schema = ecs.flatten(non_ecs_schema)
     non_ecs_schema = utils.convert_to_nested_schema(non_ecs_schema)
-    non_ecs_schema = prune_mappings_of_unsupported_types("non-ecs", "non-ecs", non_ecs_schema, log)
-    non_ecs_mapping = prune_mappings_of_unsupported_types("non-ecs", "non-ecs", non_ecs_mapping, log)
+    non_ecs_schema = prune_mappings_of_unsupported_types("non-ecs", non_ecs_schema, log)
 
     # Load custom schema and convert to index mapping format (nested schema)
     custom_mapping: dict[str, Any] = {}
@@ -498,15 +509,14 @@ def prepare_mappings(  # noqa: PLR0913
         index_mapping = ecs.flatten(index_mapping)
         index_mapping = utils.convert_to_nested_schema(index_mapping)
         custom_mapping.update({index: index_mapping})
-    custom_mapping = prune_mappings_of_unsupported_types("custom", "custom", custom_mapping, log)
 
     # Load ECS in an index mapping format (nested schema)
     current_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True)
     ecs_schema = get_ecs_schema_mappings(current_version)
 
     # Filter combined mappings based on the provided indices
     combined_mappings, index_lookup = get_filtered_index_schema(
-        indices, index_lookup, ecs_schema, non_ecs_mapping, custom_mapping
+        indices, index_lookup, ecs_schema, non_ecs_mapping, custom_mapping, log
     )
 
     index_lookup.update({"rule-ecs-index": ecs_schema})

docs/audit_policies/windows/README.md

@@ -0,0 +1,52 @@
+# Windows Audit Policies
+
+Windows related audit policies that need to be implemented in order to generate the events that power our detection rules. It serves as a centralized view of the policies we use so you don't need to go through every rule to know the different audit policies required.
+
+Audit Policies:
+
+* [Audit Authorization Policy Change](audit_authorization_policy_change.md)
+* [Audit Computer Account Management](audit_computer_account_management.md)
+* [Audit Detailed File Share](audit_detailed_file_share.md)
+* [Audit Directory Service Access](audit_directory_service_access.md)
+* [Audit Directory Service Changes](audit_directory_service_changes.md)
+* [Audit Filtering Platform Connection](audit_filtering_platform_connection.md)
+* [Audit Filtering Platform Packet Drop](audit_filtering_platform_packet_drop.md)
+* [Audit Handle Manipulation](audit_handle_manipulation.md)
+* [Audit Logon](audit_logon.md)
+* [Audit Other Object Access Events](audit_other_object_access_events.md)
+* [Audit Policy Change](audit_policy_change.md)
+* [Audit Process Creation and Command Line](audit_process_creation_and_command_line.md)
+* [Audit Security Group Management](audit_security_group_management.md)
+* [Audit Security System Extension](audit_security_system_extension.md)
+* [Audit Sensitive Privilege Use](audit_sensitive_privilege_use.md)
+* [Audit Special Logon](audit_special_logon.md)
+* [Audit Token Right Adjusted Events](audit_token_right_adjusted_events.md)
+* [Audit User Account Management](audit_user_account_management.md)
+* [Audit Powershell Script Block Logging](audit_powershell_scriptblock.md)
+
+---
+
+# Sysmon Configuration Guides
+
+**Caution:** The following guides provide minimal configuration examples designed to enable specific Sysmon Event IDs. Collecting Sysmon events without a tailored configuration for your environment will cause high data volume and potentially high CPU-load, and these setup instructions require significant tuning to be production-ready.
+
+To build an efficient and production-ready configuration, we strongly recommend exploring these community resources:
+
+ - [TrustedSec Sysmon Community Guide](https://github.com/trustedsec/SysmonCommunityGuide)
+ - [olafhartong - sysmon-modular](https://github.com/olafhartong/sysmon-modular)
+ - [Neo23x0 - sysmon-config](https://github.com/Neo23x0/sysmon-config)
+
+For a production-ready and more integrated solution that is designed to work with our detection rules and also provide native Endpoint Protection and Response, check out [Elastic Endpoint Security](https://www.elastic.co/security/endpoint-security).
+
+* [Sysmon Event ID 1: Process Creation](sysmon_eventid1_process_creation.md)
+* [Sysmon Event ID 2: File Creation Time Changed](sysmon_eventid2_file_creation_time_changed.md)
+* [Sysmon Event ID 3: Network Connection](sysmon_eventid3_network_connection.md)
+* [Sysmon Event ID 7: Image Loaded](sysmon_eventid7_image_loaded.md)
+* [Sysmon Event ID 8: Create Remote Thread](sysmon_eventid8_createremotethread.md)
+* [Sysmon Event ID 10: Process Accessed](sysmon_eventid10_process_access.md)
+* [Sysmon Event ID 11: File Create](sysmon_eventid11_file_create.md)
+* [Sysmon Event IDs 12, 13, 14: Registry Events](sysmon_eventid12_13_14_registry_event.md)
+* [Sysmon Event IDs 17, 18: Named Pipe Events](sysmon_eventid17_18_pipe_event.md)
+* [Sysmon Event IDs 19, 20, 21: WMI Events](sysmon_eventid19_20_21_wmi_event.md)
+* [Sysmon Event ID 22: DNS Query](sysmon_eventid22_dns_query.md)
+* [Sysmon Event ID 23: File Delete](sysmon_eventid23_file_delete.md)

docs/audit_policies/windows/audit_authorization_policy_change.md

@@ -0,0 +1,46 @@
+# Audit Authorization Policy Change
+
+## Setup
+
+Some detection rules require monitoring changes to authorization policies to detect unauthorized modifications or misconfigurations. Enabling this setting ensures visibility into changes affecting user rights and security policies, helping maintain compliance and security.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Authorization Policy Change` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Authorization Policy Change` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Audit Policy Configuration >
+Audit Policies >
+Policy Change >
+Audit Authorization Policy Change (Success,Failure)
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4703**: A user right was adjusted.
+* **4704**: A user right was assigned.
+* **4705**: A user right was removed.
+* **4670**: Permissions on an object were changed.
+* **4911**: Resource attributes of the object were changed.
+* **4913**: Central Access Policy on the object was changed.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+[Elastic Detection Rules Github Repo Search](https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224703%22+OR+%22Token+Right+Adjusted+Events%22+OR+%224704%22+OR+%22user-right-assigned%22+OR+%224705%22+OR+%22user-right-removed%22+OR+%224670%22+OR+%22permissions-changed%22+OR+%224911%22+OR+%224913%22%29++language%3ATOML&type=code)

docs/audit_policies/windows/audit_computer_account_management.md

@@ -0,0 +1,42 @@
+# Audit Computer Account Management
+
+## Setup
+
+Some detection rules require monitoring computer account management events to track changes to computer accounts in the domain. Enabling this setting provides visibility into when computer accounts are created, changed, or deleted, which is crucial for detecting potential malicious activity like adding unauthorized computer accounts.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Computer Account Management` events across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Computer Account Management` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Account Management >
+Audit Computer Account Management (Success,Failure)
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Computer Account Management" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4741**: A computer account was created.
+* **4742**: A computer account was changed.
+* **4743**: A computer account was deleted.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+[Elastic Detection Rules Github Repo Search](https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224741%22+OR+%22added-computer-account%22+OR+%224742%22+OR+%22changed-computer-account%22+OR+%224743%22+OR+%22deleted-computer-account%22%29+language%3ATOML+AND+NOT+%28%22%28for+example%2C+4741%29%22+OR+%22Review+the+event+ID+4741%22+OR+%22e.g.%2C+4741%22%29&type=code)

docs/audit_policies/windows/audit_detailed_file_share.md

@@ -0,0 +1,42 @@
+# Audit Detailed File Share
+
+## Setup
+
+Some detection rules require monitoring file share access to detect unauthorized access attempts or modifications. Enabling this setting helps improve security visibility and ensures compliance by tracking access to shared files and folders.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Detailed File Share` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Detailed File Share` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Object Access >
+Audit Detailed File Share (Success,Failure)
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"File Share" /success:enable /failure:disable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **5145**: A network share object was checked to see whether client can be granted desired access.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+[Elastic Detection Rules Github Repo Search](https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%225145%22+OR+%22network-share-object-access-checked%22%29++language%3ATOML&type=code)

docs/audit_policies/windows/audit_directory_service_access.md

@@ -0,0 +1,43 @@
+# Audit Directory Service Access
+
+## Setup
+
+Some detection rules require configuring audit policies to generate events when Active Directory objects are accessed. These audit policies apply exclusively to Domain Controllers, as other servers do not produce events related to Active Directory object modifications.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Directory Service Access` on all Domain Controllers via Group Policy, administrators must enable the `Audit Directory Service Access` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+DS Access >
+Audit Directory Service Access (Success,Failure)
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Directory Service Access" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4661**: A handle to an object was requested.
+* **4662**: An operation was performed on an object.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+[Elastic Detection Rules Github Repo Search](https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224661%22+OR+%224662%22+OR+%22object-operation-performed%22%29++language%3ATOML&type=code)