Merge branch 'main' into additional_genai_coverage

Author: Mikaayenson

rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

@@ -0,0 +1,198 @@
+[metadata]
+creation_date = "2025/12/01"
+integration = ["aws", "gcp", "azure"]
+maturity = "production"
+updated_date = "2025/12/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects authenticated sessions accessing secret stores across multiple cloud providers from the same source
+address within a short period of time. Adversaries with access to compromised credentials or session tokens may attempt
+to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault in rapid
+succession to expand their access or exfiltrate sensitive information.
+"""
+from = "now-9m"
+interval = "5m"
+language = "esql"
+license = "Elastic License v2"
+name = "Multiple Cloud Secrets Accessed by Source Address"
+note = """## Triage and analysis
+
+### Multiple Cloud Secrets Accessed by Source Address
+
+This alert identifies a single source IP address accessing secret-management APIs across **multiple cloud providers**
+(e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault) within a short timeframe.
+This behavior is strongly associated with **credential theft, session hijacking, or token replay**, where an adversary
+uses stolen authenticated sessions to harvest secrets across cloud environments.
+
+Unexpected cross-cloud secret retrieval is uncommon and typically indicates automation misuse or malicious activity.
+
+### Possible investigation steps
+
+- Validate the principal
+  - Identify the user, service account, workload identity, or application making the requests.
+  - Confirm whether this identity is expected to operate across more than one cloud provider.
+- Review related activity
+  - Look for additional alerts involving the same identity, source IP, or token over the last 24–48 hours.
+  - Identify whether the source IP has been observed performing unusual authentication, privilege escalation,
+    or reconnaissance.
+- Check application or service context
+  - Determine whether any workload legitimately pulls secrets from multiple cloud providers.
+  - Review deployment pipelines or integration layers that might legitimately bridge AWS, Azure, and GCP.
+- Analyze user agent and invocation patterns
+  - Compare `user_agent.original` or equivalent fields against expected SDKs or automation tools.
+  - Suspicious indicators include CLI tools, unknown libraries, browser user agents, or custom scripts.
+- Inspect IP reputation and origin
+  - Determine whether the source IP corresponds to a managed workload (EC2, GCE, Azure VM) or an unexpected host.
+  - Validate that the associated instance or host is under your control and behaving normally.
+- Review IAM permissions and accessed secrets
+  - Check the policies attached to the identity.
+  - Verify whether the accessed secrets are sensitive, unused, or unrelated to the identity’s purpose.
+- Assess potential compromise scope
+  - If compromise is suspected, enumerate other assets accessed by the same identity in the last 24 hours.
+  - Look for lateral movement, privilege escalation, or abnormal API usage.
+
+### False positive analysis
+
+- Validate whether the source IP is associated with a legitimate multi-cloud orchestration tool, automation pipeline,
+  or shared CI/CD system.
+- Confirm that the identity is authorized to access secrets across multiple cloud services.
+- If activity is expected, consider adding exceptions that pair account identity, source IP, and expected user agent
+  to reduce noise.
+
+### Response and remediation
+
+- Initiate incident response** if the activity is unauthorized or suspicious.
+- Restrict or disable** the affected credentials or service accounts.
+- Rotate all accessed secrets** and review other secrets the identity can access.
+- Analyze systems** that may have leaked credentials, such as compromised hosts or exposed tokens.
+- Harden identity security:
+  - Enforce MFA for users where applicable.
+  - Reduce permissions to least privilege.
+  - Review trust relationships, workload identities, and cross-cloud integrations.
+- Search for persistence mechanisms** such as newly created keys, roles, or service accounts.
+- Improve monitoring and audit visibility** by ensuring logging is enabled across all cloud environments.
+- Determine root cause** (phishing, malware, token replay, exposed credential, etc.) and close the vector to prevent recurrence.
+"""
+references = [
+    "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
+    "https://docs.cloud.google.com/secret-manager/docs/samples/secretmanager-access-secret-version",
+    "https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets",
+    "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
+]
+risk_score = 73
+rule_id = "472b4944-d810-43cf-83dc-7d080ae1b8dd"
+setup = """
+This multi-datasource rule relies on additional configurations from each hyperscaler.
+
+- GCP Audit: [Enable DATA_READ for the Secret Manager API service](https://docs.cloud.google.com/logging/docs/audit/configure-data-access)
+- Azure: [Enable Diagnostic Logging for the Key Vault Service](https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging?tabs=azure-cli)
+- AWS: Secrets Manager read access is automatically logged by CloudTrail.
+"""
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Domain: IAM",
+    "Domain: Storage",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS Secrets Manager",
+    "Data Source: Azure",
+    "Data Source: Azure Activity Logs",
+    "Data Source: GCP",
+    "Data Source: Google Cloud Platform",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-* METADATA _id, _version, _index
+| WHERE 
+  ( 
+    /* AWS Secrets Manager */ 
+    (event.dataset == "aws.cloudtrail" AND event.provider == "secretsmanager.amazonaws.com" AND event.action == "GetSecretValue") OR 
+    // Azure Key Vault (platform logs)
+    (event.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or 
+    /* Azure Key Vault (activity logs) */ 
+    (event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name IN ("MICROSOFT.KEYVAULT/VAULTS/SECRETS/LIST", "MICROSOFT.KEYVAULT/VAULTS/SECRETS/GET")) OR 
+    /* Azure Managed HSM secret */ 
+    (event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/managedHSM/keys/*") OR 
+    /* Google Secret Manager */ 
+    (event.dataset IN ("googlecloud.audit", "gcp.audit") AND 
+     event.action IN ("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest"))
+   ) AND source.ip IS NOT NULL
+// Unified user identity (raw)
+| EVAL Esql_priv.user_id =
+    COALESCE(
+      client.user.id,
+      aws.cloudtrail.user_identity.arn,
+      azure.platformlogs.identity.claim.upn,
+      NULL
+    )
+// Cloud vendor label based on dataset
+| EVAL Esql.cloud_vendor = CASE(
+    event.dataset == "aws.cloudtrail", "aws",
+    event.dataset IN ("azure.platformlogs","azure.activitylogs"), "azure",
+    event.dataset IN ("googlecloud.audit","gcp.audit"), "gcp",
+    "unknown"
+  )
+// Vendor+tenant label, e.g. aws:123456789012, azure:tenant, gcp:project
+| EVAL Esql.tenant_label = CASE(
+    Esql.cloud_vendor == "aws", CONCAT("aws:", cloud.account.id),
+    Esql.cloud_vendor == "azure", CONCAT("azure:", cloud.account.id),
+    Esql.cloud_vendor == "gcp", CONCAT("gcp:", cloud.account.id),
+    NULL
+  )
+| STATS
+    // Core counts
+    Esql.events_count = COUNT(*),
+    Esql.vendor_count_distinct = COUNT_DISTINCT(Esql.cloud_vendor),
+    // Action & data source context
+    Esql.event_action_values = VALUES(event.action),
+    Esql.data_source_values = VALUES(event.dataset),
+    // Cloud vendor + tenant context
+    Esql.cloud_vendor_values = VALUES(Esql.cloud_vendor),
+    Esql.tenant_label_values = VALUES(Esql.tenant_label),
+    // Hyperscaler-specific IDs
+    Esql.aws_account_id_values = VALUES(CASE(Esql.cloud_vendor == "aws", cloud.account.id, NULL)),
+    Esql.azure_tenant_id_values = VALUES(CASE(Esql.cloud_vendor == "azure", cloud.account.id, NULL)),
+    Esql.gcp_project_id_values = VALUES(CASE(Esql.cloud_vendor == "gcp", cloud.account.id, NULL)),
+    // Generic cloud metadata
+    Esql.cloud_region_values = VALUES(cloud.region),
+    Esql.cloud_service_name_values = VALUES(cloud.service.name),
+    // Identity (privileged)
+    Esql_priv.user_values = VALUES(Esql_priv.user_id),
+    Esql_priv.client_user_id_values = VALUES(client.user.id),
+    Esql_priv.aws_user_identity_arn_values = VALUES(aws.cloudtrail.user_identity.arn),
+    Esql_priv.azure_upn_values = VALUES(azure.platformlogs.identity.claim.upn),
+    // Namespace values
+    Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
+  BY source.ip
+// Require multi-vendor cred-access from same source IP
+| WHERE Esql.vendor_count_distinct >= 2
+| SORT Esql.events_count DESC
+| KEEP Esql.*, Esql_priv.*, source.ip
+'''
+
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+[[rule.threat.technique.subtechnique]]
+id = "T1555.006"
+name = "Cloud Secrets Management Stores"
+reference = "https://attack.mitre.org/techniques/T1555/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"

rules/cross-platform/defense_evasion_potential_http_downgrade_attack.toml

@@ -0,0 +1,67 @@
+[metadata]
+creation_date = "2025/11/27"
+integration = ["nginx", "apache", "apache_tomcat"]
+maturity = "production"
+updated_date = "2025/11/27"
+
+[rule]
+author = ["Elastic"]
+description = """
+Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying
+HTTP traffic that uses a different HTTP version than the one typically used in the environment. An
+HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, 
+resulting in potentially less secure communication. For example, an attacker might downgrade a
+connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in
+the older protocol versions.
+"""
+from = "now-9m"
+index = [
+        "logs-nginx.access-*",
+        "logs-apache.access-*",
+        "logs-apache_tomcat.access-*",
+]
+language = "kuery"
+license = "Elastic License v2"
+name = "Potential HTTP Downgrade Attack"
+risk_score = 21
+rule_id = "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e"
+severity = "low"
+tags = [
+    "Domain: Web",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: Nginx",
+    "Data Source: Apache",
+    "Data Source: Apache Tomcat",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+http.version:*
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1562.010"
+name = "Downgrade Attack"
+reference = "https://attack.mitre.org/techniques/T1562/010/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["http.version", "agent.id"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"

…re_or_post_install_script_execution.toml …re_or_post_install_script_execution.tomlrules/linux/persistence_nodejs_pre_or_post_install_script_execution.toml renamed to rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml rules/linux/persistence_nodejs_pre_or_post_install_script_execution.toml renamed to rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/09/18"
-integration = ["endpoint", "crowdstrike"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/03"
 
 [rule]
 author = ["Elastic"]
@@ -13,11 +13,15 @@ this technique to execute arbitrary commands on the system and establish persist
 was observed in the wild as part of the Shai-Hulud worm.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
+index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Node.js Pre or Post-Install Script Execution"
-references = ["https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise"]
+references = [
+    "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
+    "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
+    "https://www.elastic.co/blog/shai-hulud-worm-2-0-updated-response",
+]
 risk_score = 47
 rule_id = "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db"
 setup = """## Setup
@@ -49,42 +53,26 @@ severity = "medium"
 tags = [
   "Domain: Endpoint",
   "OS: Linux",
+  "OS: macOS",
   "Use Case: Threat Detection",
   "Tactic: Persistence",
   "Tactic: Execution",
   "Tactic: Defense Evasion",
   "Data Source: Elastic Defend",
   "Resources: Investigation Guide",
   "Data Source: Crowdstrike",
+  "Data Source: SentinelOne",
 ]
 type = "eql"
 query = '''
 sequence by host.id with maxspan=10s
-  [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name == "node" and process.args == "install"] by process.entity_id
-  [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node"] by process.parent.entity_id
+  [process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "ProcessRollup2", "start") and process.name == "node" and process.args == "install"] by process.entity_id
+  [process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "ProcessRollup2", "start") and process.parent.name == "node"] by process.parent.entity_id
 '''
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
-[[rule.threat.technique]]
-id = "T1543"
-name = "Create or Modify System Process"
-reference = "https://attack.mitre.org/techniques/T1543/"
-
-[[rule.threat.technique]]
-id = "T1574"
-name = "Hijack Execution Flow"
-reference = "https://attack.mitre.org/techniques/T1574/"
-
-[rule.threat.tactic]
-id = "TA0003"
-name = "Persistence"
-reference = "https://attack.mitre.org/tactics/TA0003/"
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
@@ -95,6 +83,16 @@ id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"
 
+[[rule.threat.technique]]
+id = "T1204"
+name = "User Execution"
+reference = "https://attack.mitre.org/techniques/T1204/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1204.005"
+name = "Malicious Library"
+reference = "https://attack.mitre.org/techniques/T1204/005/"
+
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
@@ -103,6 +101,24 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
+[[rule.threat.technique]]
+id = "T1543"
+name = "Create or Modify System Process"
+reference = "https://attack.mitre.org/techniques/T1543/"
+
+[[rule.threat.technique]]
+id = "T1574"
+name = "Hijack Execution Flow"
+reference = "https://attack.mitre.org/techniques/T1574/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"