elastic
diff --git a/‎rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml‎
Lines changed: 22 additions & 8 deletions b/‎rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml‎
Lines changed: 22 additions & 8 deletions
diff --git a/‎rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml‎
Lines changed: 17 additions & 17 deletions b/‎rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml‎
Lines changed: 17 additions & 17 deletions
diff --git a/‎rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml‎
Lines changed: 25 additions & 6 deletions b/‎rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml‎
Lines changed: 25 additions & 6 deletions
diff --git a/‎rules/linux/defense_evasion_multi_base64_decoding_attempt.toml‎
Lines changed: 120 additions & 0 deletions b/‎rules/linux/defense_evasion_multi_base64_decoding_attempt.toml‎
Lines changed: 120 additions & 0 deletions
diff --git a/‎rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml‎
Lines changed: 6 additions & 3 deletions b/‎rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml‎
Lines changed: 6 additions & 3 deletions
@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/08/18"
 
 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -12,18 +12,17 @@ attempt to leverage the compromised service to access secrets in AWS Secrets Man
 a specific user identity has programmatically retrieved a secret value from Secrets Manager using the `GetSecretValue`
 or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are
 setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An
-adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely
-on the compromised service's IAM role to access the secrets in Secrets Manager.
+adversary with access to a compromised AWS service would rely on its' attached role to access the secrets in Secrets Manager.
 """
 false_positives = [
     """
     Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified
     SecretId. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-60m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
-interval = "10m"
+interval = "5m"
 language = "kuery"
 license = "Elastic License v2"
 name = "First Time Seen AWS Secret Value Accessed in Secrets Manager"
@@ -33,7 +32,7 @@ note = """## Triage and analysis
 
 AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
 
-This rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a specific secret value from Secrets Manager within the last 15 days.
+This rule looks for the retrieval of credentials from Secrets Manager using `GetSecretValue` or `BatchGetSecretValue` API calls. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.
 
 #### Possible investigation steps
 
@@ -53,7 +52,7 @@ This rule looks for the retrieval of credentials using `GetSecretValue` action i
 
 ### False positive analysis
 
-- Review `user.id` values for expected ARNs. If this is an expected behavior, consider adding exceptions to the rule.
+- Review `actor.entity.id` and `target.entity.id` values for expected combinations of identity and secret value access. If this is an expected behavior, consider adding exceptions to the rule.
 - False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.
 
 ### Response and remediation
@@ -101,6 +100,21 @@ event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and
     not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera")
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters"
+]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -122,7 +136,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["user.id"]
+value = ["cloud.account.id", "user.name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-10d"
 
@@ -2,25 +2,25 @@
 creation_date = "2024/05/24"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/08/19"
 
 [rule]
 author = ["Elastic"]
 description = """
 An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and
 determine what account they are using. This rule looks for the first time an identity has called the
-STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials.
-A legitimate user would not need to call this operation as they should know the account they are using.
+STS GetCallerIdentity API, which may be an indicator of compromised credentials.
+A legitimate user would not need to perform this operation as they should know the account they are using.
 """
 false_positives = [
     """
-    Verify whether the user identity should be using the STS `GetCallerIdentity` API operation.
+    Verify whether the user identity should be using the STS GetCallerIdentity API.
     If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-60m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
-interval = "10m"
+interval = "5m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS STS GetCallerIdentity API Called for the First Time"
@@ -29,13 +29,13 @@ note = """## Triage and analysis
 ### Investigating AWS STS GetCallerIdentity API Called for the First Time
 
 AWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.
-The `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation.
+The `GetCallerIdentity` API returns details about the IAM user or role owning the credentials used to perform the operation.
 No permissions are required to run this operation and the same information is returned even when access is denied.
-This rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.
+This rule looks for use of the `GetCallerIdentity` API, excluding the `AssumedRole` identity type as use of `GetCallerIdentity` after assuming a role is common practice. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule indicating the first time a specific user identity has performed this operation.
 
 #### Possible investigation steps
 
-- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.
+- Identify the account and its role in the environment.
 - Identify the applications or users that should use this account.
 - Investigate other alerts associated with the account during the past 48 hours.
 - Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.
@@ -44,14 +44,13 @@ This rule looks for use of the `GetCallerIdentity` operation. This is a [New Ter
 - Considering the source IP address and geolocation of the user who issued the command:
     - Do they look normal for the calling user?
     - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?
-    - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
 - Review IAM permission policies for the user identity.
 - If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.
 
 ### False positive analysis
 
 - False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.
-- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.
+- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.id` or `aws.cloudtrail.user_identity.arn` values to ignore these.
 
 ### Response and remediation
 
@@ -75,7 +74,7 @@ This rule looks for use of the `GetCallerIdentity` operation. This is a [New Ter
 references = [
     "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html",
     "https://www.secureworks.com/research/detecting-the-use-of-stolen-aws-lambda-credentials",
-    "https://detectioninthe.cloud/ttps/discovery/get_caller_identity/",
+    "https://detectioninthe.cloud/ttps/discovery/sts_get_caller_identity",
 ]
 risk_score = 47
 rule_id = "30fbf4db-c502-4e68-a239-2e99af0f70da"
@@ -104,14 +103,15 @@ event.dataset: "aws.cloudtrail"
 field_names = [
     "@timestamp",
     "user.name",
-    "source.address",
-    "aws.cloudtrail.user_identity.type",
-    "aws.cloudtrail.user_identity.arn",
     "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
     "event.action",
     "event.outcome",
-    "cloud.region",
-    "aws.cloudtrail.request_parameters"
+    "cloud.account.id",
+    "cloud.region"
 ]
 
 [[rule.threat]]
 
@@ -2,7 +2,7 @@
 creation_date = "2024/10/25"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/08/20"
 
 
 [rule]
@@ -14,7 +14,9 @@ While a new MFA device is not always indicative of malicious behavior it should
 false_positives = [
     "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes and to perform periodic tasks such as data backups, updates, or deployments.",
 ]
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+interval = "5m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS STS AssumeRole with New MFA Device"
@@ -29,10 +31,10 @@ AWS Security Token Service (STS) allows users to assume roles and gain temporary
 
 ### Possible investigation steps
 
-- Review the event details in AWS CloudTrail to identify the user who assumed the role, focusing on the user.id field to determine if the user is legitimate and authorized to use the new MFA device.
-- Check the serialNumber in the aws.cloudtrail.flattened.request_parameters to verify the registration and legitimacy of the new MFA device associated with the role assumption.
-- Investigate the context of the AssumeRole action by examining the event.action field to understand if it was part of a legitimate workflow or an unusual activity.
-- Analyze the event.outcome field to confirm the success of the role assumption and cross-reference with any recent changes in user permissions or MFA device registrations.
+- Review the event details in AWS CloudTrail to identify the user who assumed the role, focusing on the `user.id` or `aws.cloudtrail.user_identity.arn` field to determine if the user is legitimate and authorized to use the new MFA device.
+- Check the serialNumber in `aws.cloudtrail.request_parameters` to verify the registration and legitimacy of the new MFA device associated with the role assumption.
+- Investigate the context of the AssumeRole action by examining surrounding events to understand if it was part of a legitimate workflow or an unusual activity.
+- Cross-reference with any recent changes in user permissions or MFA device registrations.
 - Correlate the event with other logs or alerts to identify any patterns of suspicious behavior, such as multiple role assumptions or changes in MFA devices within a short timeframe.
 - Contact the user or relevant team to confirm if the new MFA device registration and role assumption were expected and authorized.
 
@@ -83,10 +85,27 @@ event.dataset:aws.cloudtrail
     and event.provider:sts.amazonaws.com
     and event.action:(AssumeRole or AssumeRoleWithSAML or AssumeRoleWithWebIdentity)
     and event.outcome:success
-    and user.id:*
     and aws.cloudtrail.flattened.request_parameters.serialNumber:*
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "aws.cloudtrail.resources.arn",    
+    "aws.cloudtrail.resources.type",   
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements"
+]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
@@ -0,0 +1,120 @@
+[metadata]
+creation_date = "2025/07/24"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/07/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects the execution of multiple base64 decoding commands to decode data. multi-decoded
+data is suspicious, and may be used by attackers to obfuscate malicious payloads or commands.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.process*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Multi-Base64 Decoding Attempt from Suspicious Location"
+risk_score = 21
+rule_id = "03d856c2-7f74-4540-a530-e20af5e39789"
+setup = """## Setup
+
+This rule requires data coming in from Elastic Defend.
+
+### Elastic Defend Integration Setup
+Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
+
+#### Prerequisite Requirements:
+- Fleet is required for Elastic Defend.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+
+#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
+- Go to the Kibana home page and click "Add integrations".
+- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
+- Click "Add Elastic Defend".
+- Configure the integration name and optionally add a description.
+- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
+- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
+- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
+- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
+For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
+- Click "Save and Continue".
+- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
+For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+"""
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Tactic: Execution",
+    "Data Source: Elastic Defend",
+]
+type = "eql"
+query = '''
+sequence by process.parent.entity_id with maxspan=3s
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.executable != null and
+   process.name in ("base64", "base64plain", "base64url", "base64mime", "base64pem", "base32", "base16") and
+   // Only including potentially suspicious locations
+   process.args like~ ("-d*", "--d*") and process.working_directory like (
+     "/tmp/*", "/var/tmp*", "/dev/shm/*", "/var/www/*", "/home/*", "/root/*"
+   ) and not (
+     process.parent.executable in (
+       "/usr/share/ec2-instance-connect/eic_curl_authorized_keys", "/etc/cron.daily/vivaldi",
+       "/etc/cron.daily/opera-browser"
+     ) or
+     process.working_directory like (
+       "/opt/microsoft/omsagent/plugin", "/opt/rapid7/ir_agent/*", "/tmp/newroot/*"
+      )
+   )]
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.executable != null and
+   process.name in ("base64", "base64plain", "base64url", "base64mime", "base64pem", "base32", "base16") and
+   process.args like~ ("-d*", "--d*")]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  name = "Defense Evasion"
+  id = "TA0005"
+  reference = "https://attack.mitre.org/tactics/TA0005/"
+
+    [[rule.threat.technique]]
+    name = "Obfuscated Files or Information"
+    id = "T1027"
+    reference = "https://attack.mitre.org/techniques/T1027/"
+
+    [[rule.threat.technique]]
+    name = "Deobfuscate/Decode Files or Information"
+    id = "T1140"
+    reference = "https://attack.mitre.org/techniques/T1140/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  name = "Execution"
+  id = "TA0002"
+  reference = "https://attack.mitre.org/tactics/TA0002/"
+
+    [[rule.threat.technique]]
+    id = "T1059"
+    name = "Command and Scripting Interpreter"
+    reference = "https://attack.mitre.org/techniques/T1059/"
+
+      [[rule.threat.technique.subtechnique]]
+      name = "Unix Shell"
+      id = "T1059.004"
+      reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+    [[rule.threat.technique]]
+    name = "User Execution"
+    id = "T1204"
+    reference = "https://attack.mitre.org/techniques/T1204/"
+
+      [[rule.threat.technique.subtechnique]]
+      name = "Malicious File"
+      id = "T1204.002"
+      reference = "https://attack.mitre.org/techniques/T1204/002/"
@@ -2,7 +2,7 @@
 creation_date = "2025/03/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/08/26"
 
 [rule]
 author = ["Elastic"]
@@ -164,7 +164,10 @@ destination.domain : (
     i.imgur.com or
     the.earth.li or
     *.trycloudflare.com
-)
+) and 
+not (destination.domain : (*.sharepoint.com or *.azurewebsites.net or "onedrive.live.com" or *.b-cdn.net or api.onedrive.com or "drive.google.com" or *.blogspot.com) and process.code_signature.subject_name:(*Microsoft* or "Software Signing" or "Apple Mac OS Application Signing" or *VMware*) and process.code_signature.trusted:true) and 
+not (process.code_signature.subject_name:(*Mozilla* or *Google* or *Brave* or *Opera* or "Software Signing" or *Zscaler* or *Browser*) and process.code_signature.trusted:true)  and 
+not (destination.domain :("discord.com" or cdn.discordapp.com or "content.dropboxapi.com" or "dl.dropboxusercontent.com") and process.code_signature.subject_name :(*Discord* or *Dropbox*) and process.code_signature.trusted:true)
 '''
 
 [[rule.threat]]
@@ -191,4 +194,4 @@ value = ["host.id", "process.executable", "destination.domain"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-7d"
+value = "now-7d"