Merge branch 'main' into terrancedejesus/issue5353

Author: terrancedejesus

detection_rules/etc/integration-manifests.json.gz

@@ -145,7 +145,10 @@
     "kibana.alert.rule.threat.tactic.id": "keyword",
     "kibana.alert.workflow_status": "keyword",
     "kibana.alert.rule.rule_id": "keyword",
-    "kibana.alert.rule.name": "keyword"
+    "kibana.alert.rule.name": "keyword", 
+    "kibana.alert.risk_score": "long",
+    "kibana.alert.rule.type": "keyword",
+    "kibana.alert.rule.threat.tactic.name": "keyword"
   },
   "logs-google_workspace*": {
     "gsuite.admin": "keyword",

detection_rules/etc/integration-schemas.json.gz

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.13"
+version = "1.5.15"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

detection_rules/etc/non-ecs-schema.json

@@ -1,8 +1,9 @@
 [metadata]
 creation_date = "2020/07/06"
 integration = ["aws"]
-maturity = "production"
-updated_date = "2025/10/10"
+deprecation_date = "2025/11/21"
+maturity = "deprecated"
+updated_date = "2025/11/21"
 
 [rule]
 author = ["Elastic"]

pyproject.toml

@@ -0,0 +1,76 @@
+[metadata]
+creation_date = "2025/11/18"
+integration = ["endpoint", "panw"]
+maturity = "production"
+updated_date = "2025/11/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify
+the source process performing the network activity.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "PANW and Elastic Defend - Command and Control Correlation"
+references = [
+    "https://attack.mitre.org/tactics/TA0011/",
+    "https://www.elastic.co/docs/reference/integrations/panw",
+    "https://www.elastic.co/docs/reference/integrations/endpoint"
+]
+risk_score = 47
+rule_id = "da4f56b8-9bc5-4003-a46c-d23616fbc691"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Data Source: PAN-OS",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+query = '''
+sequence by source.port, source.ip, destination.ip with maxspan=1m
+ [network where event.module == "panw" and event.action == "c2_communication"]
+ [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
+'''
+note = """## Triage and analysis
+
+### Investigating PANW and Elastic Defend - Command and Control Correlation
+
+### Possible investigation steps
+
+- Investigate in the Timeline feature the two events matching this correlation (PANW and Elastic Defend).
+- Review the process details like command_line, privileges, global relevance and reputation.
+- Assess the destination.ip reputation and global relevance.
+- Review the parent process execution details like command_line, global relevance and reputation.
+- Examine all network connection details performed by the process during last 48h.
+- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
+
+### False positive analysis
+
+- Trusted system or third party processes performing network activity that looks like beaconing.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate the suspicious processes and all associated children and parents.
+- Implement network-level controls to block traffic to the destination.ip.
+- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
+- Reset credentials for any accounts associated with the source machine.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+"""
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

…e_escalation_root_login_without_mfa.toml …e_escalation_root_login_without_mfa.tomlrules/integrations/aws/privilege_escalation_root_login_without_mfa.toml renamed to rules/_deprecated/privilege_escalation_root_login_without_mfa.toml rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml renamed to rules/_deprecated/privilege_escalation_root_login_without_mfa.toml

@@ -0,0 +1,85 @@
+[metadata]
+creation_date = "2025/11/17"
+integration = ["endpoint", "fortinet_fortigate"]
+maturity = "production"
+updated_date = "2025/11/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
+source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
+or act as an intermediary for network communications to a command and control server to avoid direct connections to their
+infrastructure.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-fortinet_fortigate.log-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "SOCKS Traffic from an Unusual Process"
+references = [
+    "https://attack.mitre.org/techniques/T1090/",
+    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
+    "https://www.elastic.co/docs/reference/integrations/endpoint"
+]
+risk_score = 47
+rule_id = "6926b708-7964-425f-bed8-6e006379df08"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Data Source: Fortinet",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+query = '''
+sequence by source.port, source.ip, destination.ip with maxspan=1m
+ [network where event.dataset == "fortinet_fortigate.log" and event.action == "signature" and network.application in ("SOCKS4", "SOCKS5")]
+ [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
+'''
+note = """## Triage and analysis
+
+### Investigating SOCKS Traffic from an Unusual Process
+
+### Possible investigation steps
+
+- Review the process details like command_line, privileges, global relevance and reputation.
+- Review the parent process execution details like command_line, global relevance and reputation.
+- Examine all network connection details performed by the process during last 48h.
+- Examine all localhost network connections performed by the same process to verify if there is any port forwarding with another process on the same machine.
+- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
+
+### False positive analysis
+
+- Browser proxy extensions and Add-ons.
+- Development and deployment tools.
+- Third party trusted tools using SOCKS for network communication.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate the suspicious processes and all associated children and parents.
+- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
+- Reset credentials for any accounts associated with the source machine.
+- Implement network-level controls to block traffic via SOCKS unless authorized.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+"""
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1090"
+name = "Proxy"
+reference = "https://attack.mitre.org/techniques/T1090/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/07/14"
+integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/13"
 
 [rule]
 author = ["Elastic"]
@@ -17,19 +18,22 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-*", "metrics-*", "traces-*"]
-language = "kuery"
+language = "esql"
 license = "Elastic License v2"
 name = "Agent Spoofing - Multiple Hosts Using Same Agent"
 risk_score = 73
 rule_id = "493834ca-f861-414c-8602-150d5505b777"
 severity = "high"
 tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
-type = "threshold"
+type = "esql"
 
 query = '''
-event.agent_id_status:* and not tags:forwarded
+from logs-endpoint.*  metadata _id
+| where event.agent_id_status is not null 
+| stats Esql.count_distinct_host_ids = count_distinct(host.id), Esql.host_id_values = values(host.id), Esql.user_id_values_user_id = values(user.id) by agent.id
+| where Esql.count_distinct_host_ids >= 2
+| keep Esql.count_distinct_host_ids, Esql.host_id_values, Esql.user_id_values_user_id, agent.id
 '''
 note = """## Triage and analysis
 
@@ -80,11 +84,4 @@ id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
 
-[rule.threshold]
-field = ["agent.id"]
-value = 2
-[[rule.threshold.cardinality]]
-field = "host.id"
-value = 2
-
 

rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

@@ -0,0 +1,97 @@
+[metadata]
+creation_date = "2025/11/19"
+maturity = "production"
+updated_date = "2025/11/19"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule uses alert data to determine when multiple alerts from Elastic Defend involving the same host are triggered.
+Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
+"""
+from = "now-60m"
+interval = "30m"
+language = "esql"
+license = "Elastic License v2"
+name = "Multiple Elastic Defend Alerts by Agent"
+risk_score = 73
+rule_id = "ab25369e-ea5e-46f1-9cd5-478a0a4a131a"
+severity = "high"
+tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-endpoint.alerts-* metadata _id
+| eval target_time_window = DATE_TRUNC(24 hours, @timestamp)
+| where event.code in ("malicious_file", "memory_signature", "shellcode_thread", "behavior") and
+        agent.id is not null and not rule.name in ("Multi.EICAR.Not-a-virus")
+| stats Esql.alerts_count = COUNT(*),
+        Esql.event_code_distinct_count = count_distinct(event.code),
+        Esql.rule_name_distinct_count = COUNT_DISTINCT(rule.name),
+        Esql.file_hash_distinct_count = COUNT_DISTINCT(file.hash.sha256),
+        Esql.process_name_distinct_count = COUNT_DISTINCT(process.entity_id),
+        Esql.event_code_values = VALUES(event.code),
+        Esql.rule_name_values = VALUES(rule.name),
+        Esql.message_values = VALUES(message),
+        Esql.file_path_values = VALUES(file.path),
+        Esql.dll_path_values = VALUES(dll.path),
+        Esql.process_executable_values = VALUES(process.executable),
+        Esql.process_parent_executable_values = VALUES(process.parent.executable),
+        Esql.process_command_line_values = VALUES(process.command_line),
+        Esql.process_hash_sha256_values = VALUES(process.hash.sha256),
+        Esql.file_hash_sha256_values = VALUES(file.hash.sha256),
+        Esql.dll_hash_sha256_values = VALUES(dll.hash.sha256) by agent.id
+| where (Esql.event_code_distinct_count >= 2 or Esql.rule_name_distinct_count >= 3 or Esql.file_hash_distinct_count >= 2)
+| keep agent.id,
+       Esql.alerts_count,
+       Esql.event_code_distinct_count,
+       Esql.rule_name_distinct_count,
+       Esql.message_values,
+       Esql.event_code_values,
+       Esql.rule_name_values,
+       Esql.process_executable_values,
+       Esql.process_parent_executable_values,
+       Esql.process_command_line_values,
+       Esql.file_path_values,
+       Esql.dll_path_values,
+       Esql.process_hash_sha256_values,
+       Esql.file_hash_sha256_values,
+       Esql.dll_hash_sha256_values
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Multiple Elastic Defend Alerts by Agent
+
+Endpoint security technologies monitor and analyze activities on devices to detect malicious behavior. Adversaries exploit these systems by deploying malware that triggers specific signatures across multiple hosts, indicating a coordinated attack. The detection rule identifies such threats by analyzing alert data for specific malware signatures across several hosts, flagging potential widespread infections for prioritized investigation.
+
+### Possible investigation steps
+
+- Review the alert details to identify the specific host involved and the different ATT&CK tactics that triggered the alerts.
+- Examine the timeline of the alerts to understand the sequence of events and determine if there is a pattern or progression in the tactics used.
+- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context.
+- Investigate any known vulnerabilities or misconfigurations on the host that could have been exploited by the adversary.
+- Check for any indicators of compromise (IOCs) associated with the alerts, such as suspicious IP addresses, domains, or file hashes, and search for these across the network.
+- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity.
+
+### False positive analysis
+
+- Alerts from routine administrative tasks may trigger multiple tactics. Review and exclude known benign activities such as scheduled software updates or system maintenance.
+- Security tools running on the host might generate alerts across different tactics. Identify and exclude alerts from trusted security applications to reduce noise.
+- Automated scripts or batch processes can mimic adversarial behavior. Analyze and whitelist these processes if they are verified as non-threatening.
+- Frequent alerts from development or testing environments can be misleading. Consider excluding these environments from the rule or applying a different risk score.
+- User behavior anomalies, such as accessing multiple systems or applications, might trigger alerts. Implement user behavior baselines to differentiate between normal and suspicious activities.
+
+### Response and remediation
+
+- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary.
+- Conduct a thorough forensic analysis of the host to identify the specific vulnerabilities exploited and gather evidence of the attack phases involved.
+- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated.
+- Apply security patches and updates to the host to address any exploited vulnerabilities and prevent similar attacks.
+- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise.
+- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns.
+- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign."""
+references = ["https://github.com/elastic/protections-artifacts/tree/main/yara/rules"]