Merge branch 'main' into Samirbous-patch-1

Author: Samirbous

.github/workflows/esql-validation.yml

@@ -2,8 +2,6 @@ name: ES|QL Validation
 on:
     pull_request:
       branches: [ "*" ]
-      paths:
-        - 'rules/**/*.toml'
 jobs:
   build-and-validate:
     runs-on: ubuntu-latest

.github/workflows/kibana-mitre-update.yml

@@ -18,7 +18,7 @@ jobs:
 
       - name: Get MITRE Attack changed files
         id: changed-attack-files
-        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
         with:
           files: detection_rules/etc/attack-v*.json.gz
 

.github/workflows/lock-versions.yml

@@ -37,7 +37,57 @@ jobs:
           pip cache purge
           pip install .[dev]
 
+      - name: Check out container repository
+        env:
+          DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
+          DR_API_KEY: ${{ secrets.dr_api_key }}
+        if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          path: elastic-container
+          repository: peasead/elastic-container
+
+      - name: Build and run containers
+        env:
+          DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
+          DR_API_KEY: ${{ secrets.dr_api_key }}
+        if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }} 
+        run: |
+          cd elastic-container
+          GENERATED_PASSWORD=$(openssl rand -base64 16)
+          sed -i "s|changeme|$GENERATED_PASSWORD|" .env
+          echo "::add-mask::$GENERATED_PASSWORD"
+          echo "GENERATED_PASSWORD=$GENERATED_PASSWORD" >> $GITHUB_ENV
+          set -x
+          bash elastic-container.sh start
+          
+      - name: Get API Key and setup auth
+        env:
+          DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
+          DR_API_KEY: ${{ secrets.dr_api_key }}
+          DR_ELASTICSEARCH_URL: "https://localhost:9200"
+          ES_USER: "elastic"
+          ES_PASSWORD: ${{ env.GENERATED_PASSWORD }}
+        if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
+        run: |
+          cd detection-rules
+          response=$(curl -k -X POST -u "$ES_USER:$ES_PASSWORD" -H "Content-Type: application/json" -d '{
+            "name": "tmp-api-key",
+            "expiration": "1d"
+          }' "$DR_ELASTICSEARCH_URL/_security/api_key")
+
+          DR_API_KEY=$(echo "$response" | jq -r '.encoded')
+          echo "::add-mask::$DR_API_KEY"
+          echo "DR_API_KEY=$DR_API_KEY" >> $GITHUB_ENV
+
       - name: Build release package with navigator files
+        env:
+          DR_REMOTE_ESQL_VALIDATION: "true"
+          DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }}
+          DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }}
+          DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }}
+          DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }}
+          DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }}
         run: |
           python -m detection_rules dev build-release --generate-navigator
 
@@ -56,6 +106,12 @@ jobs:
       - name: Lock the versions
         env:
           BRANCHES: "${{github.event.inputs.branches}}"
+          DR_REMOTE_ESQL_VALIDATION: "true"
+          DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }}
+          DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }}
+          DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }}
+          DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }}
+          DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }}
         run: |
           ./detection_rules/etc/lock-multiple.sh $BRANCHES
           git add detection_rules/etc/version.lock.json

.github/workflows/release-fleet.yml

@@ -112,7 +112,57 @@ jobs:
             git tag $RELEASE_TAG
             git push origin $RELEASE_TAG
 
+        - name: Check out container repository
+          env:
+            DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
+            DR_API_KEY: ${{ secrets.dr_api_key }}
+          if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
+          uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+          with:
+            path: elastic-container
+            repository: peasead/elastic-container
+
+        - name: Build and run containers
+          env:
+            DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
+            DR_API_KEY: ${{ secrets.dr_api_key }}
+          if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }} 
+          run: |
+            cd elastic-container
+            GENERATED_PASSWORD=$(openssl rand -base64 16)
+            sed -i "s|changeme|$GENERATED_PASSWORD|" .env
+            echo "::add-mask::$GENERATED_PASSWORD"
+            echo "GENERATED_PASSWORD=$GENERATED_PASSWORD" >> $GITHUB_ENV
+            set -x
+            bash elastic-container.sh start
+          
+        - name: Get API Key and setup auth
+          env:
+            DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
+            DR_API_KEY: ${{ secrets.dr_api_key }}
+            DR_ELASTICSEARCH_URL: "https://localhost:9200"
+            ES_USER: "elastic"
+            ES_PASSWORD: ${{ env.GENERATED_PASSWORD }}
+          if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
+          run: |
+            cd detection-rules
+            response=$(curl -k -X POST -u "$ES_USER:$ES_PASSWORD" -H "Content-Type: application/json" -d '{
+              "name": "tmp-api-key",
+              "expiration": "1d"
+            }' "$DR_ELASTICSEARCH_URL/_security/api_key")
+
+            DR_API_KEY=$(echo "$response" | jq -r '.encoded')
+            echo "::add-mask::$DR_API_KEY"
+            echo "DR_API_KEY=$DR_API_KEY" >> $GITHUB_ENV
+
         - name: Build release package
+          env:
+            DR_REMOTE_ESQL_VALIDATION: "true"
+            DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }}
+            DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }}
+            DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }}
+            DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }}
+            DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }}
           run: |
             cd detection-rules
             python -m detection_rules dev build-release

detection_rules/index_mappings.py

@@ -261,7 +261,6 @@ def get_filtered_index_schema(
     filtered_keys.update(non_ecs_indices.keys())
     filtered_keys.update(custom_indices.keys())
     filtered_keys.add("logs-endpoint.alerts-*")
-    filtered_keys.update(indices)
 
     matches: list[str] = []
     for index in indices:

detection_rules/rule.py

@@ -1528,7 +1528,11 @@ def get_packaged_integrations(
                 *definitions.NON_DATASET_PACKAGES,
                 *map(str.lower, definitions.MACHINE_LEARNING_PACKAGES),
             ]
-            if integration in ineligible_integrations or isinstance(data, MachineLearningRuleData):
+            if (
+                integration in ineligible_integrations
+                or isinstance(data, MachineLearningRuleData)
+                or (isinstance(data, ESQLRuleData) and integration not in datasets)
+            ):
                 packaged_integrations.append({"package": integration, "integration": None})
 
         packaged_integrations.extend(parse_datasets(list(datasets), package_manifest))

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.2"
+version = "1.5.5"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.agent_id_status:(agent_id_mismatch or mismatch)
+event.agent_id_status:(agent_id_mismatch or mismatch) and not host.name:agentless-*
 '''
 note = """## Triage and analysis