Merge branch 'main' into additional_genai_coverage

Author: Mikaayenson

detection_rules/config.py

@@ -227,7 +227,7 @@ def parse_rules_config(path: Path | None = None) -> RulesConfig:  # noqa: PLR091
             raise ValueError(f"rules config file does not exist: {path}")
         loaded = yaml.safe_load(path.read_text())
     elif CUSTOM_RULES_DIR:
-        path = Path(CUSTOM_RULES_DIR) / "_config.yaml"
+        path = Path(CUSTOM_RULES_DIR).expanduser() / "_config.yaml"
         if not path.exists():
             raise FileNotFoundError(
                 """

detection_rules/etc/deprecated_rules.json

@@ -359,6 +359,11 @@
     "rule_name": "Potential Persistence via Cron Job",
     "stack_version": "7.14.0"
   },
+  "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
+    "deprecation_date": "2025/11/21",
+    "rule_name": "Deprecated - AWS Root Login Without MFA",
+    "stack_version": "8.19"
+  },
   "c6474c34-4953-447a-903e-9fcb7b6661aa": {
     "deprecation_date": "2021/04/15",
     "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",

detection_rules/etc/integration-manifests.json.gz

@@ -145,7 +145,10 @@
     "kibana.alert.rule.threat.tactic.id": "keyword",
     "kibana.alert.workflow_status": "keyword",
     "kibana.alert.rule.rule_id": "keyword",
-    "kibana.alert.rule.name": "keyword"
+    "kibana.alert.rule.name": "keyword",
+    "kibana.alert.risk_score": "long",
+    "kibana.alert.rule.type": "keyword",
+    "kibana.alert.rule.threat.tactic.name": "keyword"
   },
   "logs-google_workspace*": {
     "gsuite.admin": "keyword",
@@ -234,7 +237,8 @@
      "o365.audit.ExtendedProperties.ResultStatusDetail": "keyword",
      "o365.audit.OperationProperties.Name": "keyword",
      "o365.audit.OperationProperties.Value": "keyword",
-     "o365.audit.OperationCount": "long"
+     "o365.audit.OperationCount": "long",
+     "o365.audit.AppAccessContext.AADSessionId": "keyword"
   },
   "logs-okta*": {
     "okta.debug_context.debug_data.flattened.requestedScopes": "keyword",