elastic
diff --git a/‎rules/cross-platform/execution_potential_widespread_malware_infection.toml‎
Lines changed: 0 additions & 1 deletion b/‎rules/cross-platform/execution_potential_widespread_malware_infection.toml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎rules/cross-platform/initial_access_azure_o365_with_network_alert.toml‎
Lines changed: 19 additions & 20 deletions b/‎rules/cross-platform/initial_access_azure_o365_with_network_alert.toml‎
Lines changed: 19 additions & 20 deletions
diff --git a/‎rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml‎
Lines changed: 8 additions & 9 deletions b/‎rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml‎
Lines changed: 8 additions & 9 deletions
diff --git a/‎rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml‎
Lines changed: 8 additions & 9 deletions b/‎rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml‎
Lines changed: 8 additions & 9 deletions
diff --git a/‎rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml‎
Lines changed: 38 additions & 38 deletions b/‎rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml‎
Lines changed: 38 additions & 38 deletions
diff --git a/‎rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml‎
Lines changed: 3 additions & 5 deletions b/‎rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml‎
Lines changed: 3 additions & 5 deletions
@@ -69,7 +69,6 @@ from logs-endpoint.alerts-*
 | keep host.id, rule.name, event.code
 | stats Esql.host_id_count_distinct = count_distinct(host.id) by rule.name, event.code
 | where Esql.host_id_count_distinct >= 3
-
 '''
 
 
 
@@ -77,14 +77,14 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-FROM logs-*, .alerts-security.*
+from logs-*, .alerts-security.*
 // query runs every 1 hour looking for activities occurred during last 8 hours to match on disparate events
-| where @timestamp > NOW() - 8 hours
-// filter for Azure or M365 sign-in and External Alerts with source.ip not null
-| where TO_IP(source.ip) is not null
+| where @timestamp > now() - 8 hours
+// filter for azure or m365 sign-in and external alerts with source.ip not null
+| where to_ip(source.ip) is not null
   and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.name == "External Alerts")
-  and not CIDR_MATCH(
-    TO_IP(source.ip),
+  and not cidr_match(
+    to_ip(source.ip),
     "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
     "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
     "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4",
@@ -95,31 +95,30 @@ FROM logs-*, .alerts-security.*
 // capture relevant raw fields
 | keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.name, event.category
 
-// classify each source IP based on alert type
+// classify each source ip based on alert type
 | eval
-  Esql.source_ip_mail_access_case = case(event.dataset == "o365.audit" and event.action == "MailItemsAccessed" and event.outcome == "success", TO_IP(source.ip), null),
-  Esql.source_ip_azure_signin_case = case(event.dataset == "azure.signinlogs" and event.outcome == "success", TO_IP(source.ip), null),
-  Esql.source_ip_network_alert_case = case(kibana.alert.rule.name == "External Alerts" and not event.dataset in ("o365.audit", "azure.signinlogs"), TO_IP(source.ip), null)
+  Esql.source_ip_mail_access_case = case(event.dataset == "o365.audit" and event.action == "MailItemsAccessed" and event.outcome == "success", to_ip(source.ip), null),
+  Esql.source_ip_azure_signin_case = case(event.dataset == "azure.signinlogs" and event.outcome == "success", to_ip(source.ip), null),
+  Esql.source_ip_network_alert_case = case(kibana.alert.rule.name == "external alerts" and not event.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null)
 
-// aggregate by source IP
+// aggregate by source ip
 | stats
     Esql.event_count = count(*),
-    Esql.source_ip_mail_access_case_count_distinct = COUNT_DISTINCT(Esql.source_ip_mail_access_case),
-    Esql.source_ip_azure_signin_case_count_distinct = COUNT_DISTINCT(Esql.source_ip_azure_signin_case),
-    Esql.source_ip_network_alert_case_count_distinct = COUNT_DISTINCT(Esql.source_ip_network_alert_case),
-    Esql.event_dataset_count_distinct = COUNT_DISTINCT(event.dataset),
-    Esql.event_dataset_values = VALUES(event.dataset),
-    Esql.kibana_alert_rule_name_values = VALUES(kibana.alert.rule.name),
-    Esql.event_category_values = VALUES(event.category)
-  by Esql.source_ip = TO_IP(source.ip)
+    Esql.source_ip_mail_access_case_count_distinct = count_distinct(Esql.source_ip_mail_access_case),
+    Esql.source_ip_azure_signin_case_count_distinct = count_distinct(Esql.source_ip_azure_signin_case),
+    Esql.source_ip_network_alert_case_count_distinct = count_distinct(Esql.source_ip_network_alert_case),
+    Esql.event_dataset_count_distinct = count_distinct(event.dataset),
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.kibana_alert_rule_name_values = values(kibana.alert.rule.name),
+    Esql.event_category_values = values(event.category)
+  by Esql.source_ip = to_ip(source.ip)
 
 // correlation condition
 | where
   Esql.source_ip_network_alert_case_count_distinct > 0
   and Esql.event_dataset_count_distinct >= 2
   and (Esql.source_ip_mail_access_case_count_distinct > 0 or Esql.source_ip_azure_signin_case_count_distinct > 0)
   and Esql.event_count <= 100
-
 '''
 
 
 
@@ -86,39 +86,38 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-FROM logs-aws.cloudtrail-*
+from logs-aws.cloudtrail-*
 
 // filter for DescribeInstances API calls
 | where event.dataset == "aws.cloudtrail"
   and event.provider == "ec2.amazonaws.com"
   and event.action == "DescribeInstances"
 
 // truncate the timestamp to a 30-second window
-| eval Esql.time_window_date_trunc = DATE_TRUNC(30 seconds, @timestamp)
+| eval Esql.time_window_date_trunc = date_trunc(30 seconds, @timestamp)
 
 // keep only the relevant raw fields
 | keep Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn, cloud.region
 
 // count the number of unique regions and total API calls within the 30-second window
 | stats
-    Esql.cloud_region_count_distinct = COUNT_DISTINCT(cloud.region),
-    Esql.event_count = COUNT(*)
+    Esql.cloud_region_count_distinct = count_distinct(cloud.region),
+    Esql.event_count = count(*)
   by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn
 
 // filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
 | where Esql.cloud_region_count_distinct >= 10 and Esql.event_count >= 10
 
 // sort the results by time window in descending order
 | sort Esql.time_window_date_trunc desc
-
 '''
 
 [rule.investigation_fields]
 field_names = [
-    "aws.cloudtrail.user_identity.arn",
-    "target_time_window",
-    "region_count",
-    "window_count"
+  "aws.cloudtrail.user_identity.arn",
+  "target_time_window",
+  "region_count",
+  "window_count"
 ]
 
 [[rule.threat]]
 
@@ -80,10 +80,10 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-FROM logs-aws.cloudtrail*
+from logs-aws.cloudtrail*
 
 // create time window buckets of 10 seconds
-| eval Esql.time_window_date_trunc = DATE_TRUNC(10 seconds, @timestamp)
+| eval Esql.time_window_date_trunc = date_trunc(10 seconds, @timestamp)
 | where
     event.dataset == "aws.cloudtrail"
 
@@ -111,30 +111,29 @@ FROM logs-aws.cloudtrail*
 
 // filter for Describe, Get, List, and Generate API calls
 | where true in (
-    STARTS_WITH(event.action, "Describe"),
-    STARTS_WITH(event.action, "Get"),
-    STARTS_WITH(event.action, "List"),
-    STARTS_WITH(event.action, "Generate")
+    starts_with(event.action, "Describe"),
+    starts_with(event.action, "Get"),
+    starts_with(event.action, "List"),
+    starts_with(event.action, "Generate")
 )
 
 // extract owner, identity type, and actor from the ARN
 | dissect aws.cloudtrail.user_identity.arn "%{}::%{Esql_priv.aws_cloudtrail_user_identity_arn_owner}:%{Esql.aws_cloudtrail_user_identity_arn_type}/%{Esql.aws_cloudtrail_user_identity_arn_roles}"
-| where STARTS_WITH(Esql.aws_cloudtrail_user_identity_arn_roles, "AWSServiceRoleForConfig") != true
+| where starts_with(Esql.aws_cloudtrail_user_identity_arn_roles, "AWSServiceRoleForConfig") != true
 
 // keep relevant fields (preserving ECS fields and computed time window)
 | keep @timestamp, Esql.time_window_date_trunc, event.action, aws.cloudtrail.user_identity.arn
 
 // count the number of unique API calls per time window and actor
 | stats
-    Esql.event_action_count_distinct = COUNT_DISTINCT(event.action)
+    Esql.event_action_count_distinct = count_distinct(event.action)
   by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn
 
 // filter for more than 5 unique API calls per 10s window
 | where Esql.event_action_count_distinct > 5
 
 // sort the results by the number of unique API calls in descending order
 | sort Esql.event_action_count_distinct desc
-
 '''
 
 
 
@@ -15,6 +15,40 @@ from = "now-9m"
 language = "esql"
 license = "Elastic License v2"
 name = "AWS Service Quotas Multi-Region `GetServiceQuota` Requests"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating AWS Service Quotas Multi-Region `GetServiceQuota` Requests
+
+AWS Service Quotas manage resource limits across AWS services, crucial for maintaining operational boundaries. Adversaries may exploit `GetServiceQuota` API calls to probe AWS infrastructure, seeking vulnerabilities for deploying threats like cryptocurrency miners. The detection rule identifies unusual multi-region queries for EC2 quotas, signaling potential credential compromise or unauthorized access attempts.
+
+### Possible investigation steps
+
+- Review the AWS CloudTrail logs to identify the specific user or role associated with the `aws.cloudtrail.user_identity.arn` field that triggered the alert. Determine if this user or role should have access to multiple regions.
+- Examine the `cloud.region` field to identify which regions were accessed and verify if these regions are typically used by your organization. Investigate any unfamiliar regions for unauthorized activity.
+- Check the AWS IAM policies and permissions associated with the identified user or role to ensure they align with the principle of least privilege. Look for any recent changes or anomalies in permissions.
+- Investigate the source IP addresses and locations from which the `GetServiceQuota` API calls were made to determine if they match expected patterns for your organization. Look for any unusual or suspicious IP addresses.
+- Review recent activity logs for the identified user or role to detect any other unusual or unauthorized actions, such as attempts to launch EC2 instances or access other AWS services.
+- If a compromise is suspected, consider rotating the credentials for the affected user or role and implementing additional security measures, such as multi-factor authentication (MFA) and enhanced monitoring.
+
+### False positive analysis
+
+- Legitimate multi-region operations: Organizations with a global presence may have legitimate reasons for querying EC2 service quotas across multiple regions. To handle this, users can create exceptions for known accounts or roles that regularly perform such operations.
+- Automated infrastructure management tools: Some tools or scripts designed for infrastructure management might perform multi-region `GetServiceQuota` requests as part of their normal operation. Users should identify these tools and exclude their activity from triggering alerts by whitelisting their associated user identities or ARNs.
+- Testing and development activities: Developers or testers might intentionally perform multi-region queries during testing phases. Users can mitigate false positives by setting up temporary exceptions for specific time frames or user identities involved in testing.
+- Cloud service providers or partners: Third-party services or partners managing AWS resources on behalf of an organization might generate similar patterns. Users should establish trust relationships and exclude these entities from detection by verifying their activities and adding them to an exception list.
+
+### Response and remediation
+
+- Immediately isolate the AWS account or IAM user identified in the alert to prevent further unauthorized access. This can be done by disabling the access keys or suspending the account temporarily.
+- Conduct a thorough review of the AWS CloudTrail logs for the identified user or resource to determine the extent of the unauthorized activity and identify any other potentially compromised resources.
+- Rotate all access keys and passwords associated with the compromised account or IAM user to prevent further unauthorized access.
+- Implement additional security measures such as enabling multi-factor authentication (MFA) for all IAM users and roles to enhance account security.
+- Notify the security operations team and relevant stakeholders about the potential compromise and the steps being taken to remediate the issue.
+- If evidence of compromise is confirmed, consider engaging AWS Support or a third-party incident response team for further investigation and assistance.
+- Review and update IAM policies and permissions to ensure the principle of least privilege is enforced, reducing the risk of future unauthorized access attempts."""
 references = [
     "https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/",
     "https://docs.aws.amazon.com/servicequotas/2019-06-24/apireference/API_GetServiceQuota.html",
@@ -35,7 +69,7 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-FROM logs-aws.cloudtrail-*
+from logs-aws.cloudtrail-*
 
 // filter for GetServiceQuota API calls
 | where
@@ -44,7 +78,7 @@ FROM logs-aws.cloudtrail-*
   and event.action == "GetServiceQuota"
 
 // truncate the timestamp to a 30-second window
-| eval Esql.time_window_date_trunc = DATE_TRUNC(30 seconds, @timestamp)
+| eval Esql.time_window_date_trunc = date_trunc(30 seconds, @timestamp)
 
 // dissect request parameters to extract service and quota code
 | dissect aws.cloudtrail.request_parameters "{%{?Esql.aws_cloudtrail_request_parameters_service_code_key}=%{Esql.aws_cloudtrail_request_parameters_service_code}, %{?quota_code_key}=%{Esql.aws_cloudtrail_request_parameters_quota_code}}"
@@ -62,8 +96,8 @@ FROM logs-aws.cloudtrail-*
 
 // count the number of unique regions and total API calls within the time window
 | stats
-    Esql.cloud_region_count_distinct = COUNT_DISTINCT(cloud.region),
-    Esql.event_count = COUNT(*)
+    Esql.cloud_region_count_distinct = count_distinct(cloud.region),
+    Esql.event_count = count(*)
   by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn
 
 // filter for API calls in more than 10 regions within the 30-second window
@@ -73,42 +107,8 @@ FROM logs-aws.cloudtrail-*
 
 // sort by time window descending
 | sort Esql.time_window_date_trunc desc
-
 '''
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating AWS Service Quotas Multi-Region `GetServiceQuota` Requests
-
-AWS Service Quotas manage resource limits across AWS services, crucial for maintaining operational boundaries. Adversaries may exploit `GetServiceQuota` API calls to probe AWS infrastructure, seeking vulnerabilities for deploying threats like cryptocurrency miners. The detection rule identifies unusual multi-region queries for EC2 quotas, signaling potential credential compromise or unauthorized access attempts.
-
-### Possible investigation steps
-
-- Review the AWS CloudTrail logs to identify the specific user or role associated with the `aws.cloudtrail.user_identity.arn` field that triggered the alert. Determine if this user or role should have access to multiple regions.
-- Examine the `cloud.region` field to identify which regions were accessed and verify if these regions are typically used by your organization. Investigate any unfamiliar regions for unauthorized activity.
-- Check the AWS IAM policies and permissions associated with the identified user or role to ensure they align with the principle of least privilege. Look for any recent changes or anomalies in permissions.
-- Investigate the source IP addresses and locations from which the `GetServiceQuota` API calls were made to determine if they match expected patterns for your organization. Look for any unusual or suspicious IP addresses.
-- Review recent activity logs for the identified user or role to detect any other unusual or unauthorized actions, such as attempts to launch EC2 instances or access other AWS services.
-- If a compromise is suspected, consider rotating the credentials for the affected user or role and implementing additional security measures, such as multi-factor authentication (MFA) and enhanced monitoring.
-
-### False positive analysis
 
-- Legitimate multi-region operations: Organizations with a global presence may have legitimate reasons for querying EC2 service quotas across multiple regions. To handle this, users can create exceptions for known accounts or roles that regularly perform such operations.
-- Automated infrastructure management tools: Some tools or scripts designed for infrastructure management might perform multi-region `GetServiceQuota` requests as part of their normal operation. Users should identify these tools and exclude their activity from triggering alerts by whitelisting their associated user identities or ARNs.
-- Testing and development activities: Developers or testers might intentionally perform multi-region queries during testing phases. Users can mitigate false positives by setting up temporary exceptions for specific time frames or user identities involved in testing.
-- Cloud service providers or partners: Third-party services or partners managing AWS resources on behalf of an organization might generate similar patterns. Users should establish trust relationships and exclude these entities from detection by verifying their activities and adding them to an exception list.
-
-### Response and remediation
-
-- Immediately isolate the AWS account or IAM user identified in the alert to prevent further unauthorized access. This can be done by disabling the access keys or suspending the account temporarily.
-- Conduct a thorough review of the AWS CloudTrail logs for the identified user or resource to determine the extent of the unauthorized activity and identify any other potentially compromised resources.
-- Rotate all access keys and passwords associated with the compromised account or IAM user to prevent further unauthorized access.
-- Implement additional security measures such as enabling multi-factor authentication (MFA) for all IAM users and roles to enhance account security.
-- Notify the security operations team and relevant stakeholders about the potential compromise and the steps being taken to remediate the issue.
-- If evidence of compromise is confirmed, consider engaging AWS Support or a third-party incident response team for further investigation and assistance.
-- Review and update IAM policies and permissions to ensure the principle of least privilege is enforced, reducing the risk of future unauthorized access attempts."""
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
@@ -21,8 +21,7 @@ interval = "5m"
 language = "esql"
 license = "Elastic License v2"
 name = "AWS EC2 EBS Snapshot Shared or Made Public"
-note = """
-## Triage and analysis
+note = """## Triage and analysis
 
 ### Investigating AWS EC2 EBS Snapshot Shared or Made Public
 
@@ -80,7 +79,7 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-FROM logs-aws.cloudtrail-* METADATA _id, _version, _index
+from logs-aws.cloudtrail-* metadata _id, _version, _index
 | where
   event.provider == "ec2.amazonaws.com"
   and event.action == "ModifySnapshotAttribute"
@@ -95,7 +94,7 @@ FROM logs-aws.cloudtrail-* METADATA _id, _version, _index
   Esql.aws_cloudtrail_request_parameters_operation_type == "add"
   and cloud.account.id != Esql_priv.aws_cloudtrail_request_parameters_user_id
 
-// Keep ECS and derived fields
+// keep ECS and derived fields
 | keep
   @timestamp,
   aws.cloudtrail.user_identity.arn,
@@ -106,7 +105,6 @@ FROM logs-aws.cloudtrail-* METADATA _id, _version, _index
   Esql.aws_cloudtrail_request_parameters_operation_type,
   Esql_priv.aws_cloudtrail_request_parameters_user_id,
   source.ip
-
 '''