Merge branch 'main' into multi-by-ds

Author: Samirbous

detection_rules/etc/non-ecs-schema.json

@@ -150,6 +150,10 @@
     "kibana.alert.rule.type": "keyword",
     "kibana.alert.rule.threat.tactic.name": "keyword"
   },
+  "logs-github.audit-*": {
+    "github.reasons.code": "keyword",
+    "github.reasons.message": "text"
+  },
   "logs-google_workspace*": {
     "gsuite.admin": "keyword",
     "gsuite.admin.new_value": "keyword",

docs/audit_policies/windows/README.md docs/audit_policies/windows/readme.mddocs/audit_policies/windows/README.md renamed to docs/audit_policies/windows/readme.md

@@ -49,4 +49,4 @@ For a production-ready and more integrated solution that is designed to work wit
 * [Sysmon Event IDs 17, 18: Named Pipe Events](sysmon_eventid17_18_pipe_event.md)
 * [Sysmon Event IDs 19, 20, 21: WMI Events](sysmon_eventid19_20_21_wmi_event.md)
 * [Sysmon Event ID 22: DNS Query](sysmon_eventid22_dns_query.md)
-* [Sysmon Event ID 23: File Delete](sysmon_eventid23_file_delete.md)
+* [Sysmon Event ID 23: File Delete](sysmon_eventid23_file_delete.md)

docs/docset.yml

@@ -3,7 +3,7 @@ cross_links:
   - docs-content
 exclude:
   - '_*.md'
-  - 'README.md'
+  - 'readme.md'
 
 extensions:
   - detection-rules
@@ -13,7 +13,7 @@ toc:
     detection_rules: ['../rules', '../rules_building_block']
   - folder: audit_policies/windows
     children:
-      - file: README.md
+      - file: readme.md
       - file: audit_authorization_policy_change.md
       - file: audit_computer_account_management.md
       - file: audit_detailed_file_share.md

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.23"
+version = "1.5.24"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/cross-platform/persistence_shell_profile_modification.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/19"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ triggered by a user’s shell.
 """
 false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."]
 from = "now-9m"
-index = ["logs-endpoint.events.*", "auditbeat-*"]
+index = ["logs-endpoint.events.file-*", "auditbeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Bash Shell Profile Modification"
@@ -35,20 +35,12 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.category:file and event.type:change and
+event.category:file and host.os.type:(linux or macos) and event.type:change and not event.action:("rename" or "extended_attributes_delete") and
+  file.name:(".bash_profile" or ".profile" or ".bashrc" or ".zshenv" or ".zshrc") and file.path:(/home/* or /Users/*) and 
   process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or
   launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or
   dnf-automatic or git or dpkg or platform-python)) and
-  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and
-  file.path:(/private/etc/rc.local or
-             /etc/rc.local or
-             /home/*/.profile or
-             /home/*/.profile1 or
-             /home/*/.bash_profile or
-             /home/*/.bash_profile1 or
-             /home/*/.bashrc or
-             /Users/*/.bash_profile or
-             /Users/*/.zshenv)
+  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*)
 '''
 note = """## Triage and analysis
 

rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/12/17"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/09/08"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -181,6 +181,6 @@ field = "new_terms_fields"
 value = ["source.address", "tls.client.server_name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-7d"
+value = "now-5d"
 
 

rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml

@@ -2,17 +2,17 @@
 creation_date = "2020/07/06"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/12/12"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Nick Jones", "Elastic"]
 description = """
 An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may
 attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time
-a specific user identity has programmatically retrieved a secret value from Secrets Manager using the `GetSecretValue`
-or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are
-setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An
-adversary with access to a compromised AWS service would rely on its' attached role to access the secrets in Secrets Manager.
+a specific user identity has programmatically retrieved a secret value from Secrets Manager using the GetSecretValue
+action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's
+assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a
+compromised AWS service would rely on its' attached role to access the secrets in Secrets Manager.
 """
 false_positives = [
     """
@@ -22,7 +22,6 @@ false_positives = [
 ]
 from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
-interval = "5m"
 language = "kuery"
 license = "Elastic License v2"
 name = "First Time Seen AWS Secret Value Accessed in Secrets Manager"
@@ -32,7 +31,7 @@ note = """## Triage and analysis
 
 AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
 
-This rule looks for the retrieval of credentials from Secrets Manager using `GetSecretValue` or `BatchGetSecretValue` API calls. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.
+This rule looks for the retrieval of credentials from Secrets Manager using `GetSecretValue` API calls. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.
 
 #### Possible investigation steps
 
@@ -95,26 +94,12 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and
-    event.action: (GetSecretValue or BatchGetSecretValue) and event.outcome:success and
-    not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera" or "Boto3")
+event.dataset: aws.cloudtrail 
+    and event.provider: secretsmanager.amazonaws.com 
+    and event.action: GetSecretValue 
+    and event.outcome: success
 '''
 
-[rule.investigation_fields]
-field_names = [
-    "@timestamp",
-    "user.name",
-    "user_agent.original",
-    "source.ip",
-    "aws.cloudtrail.user_identity.arn",
-    "aws.cloudtrail.user_identity.type",
-    "aws.cloudtrail.user_identity.access_key_id",
-    "event.action",
-    "event.outcome",
-    "cloud.account.id",
-    "cloud.region",
-    "aws.cloudtrail.request_parameters"
-]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -134,11 +119,27 @@ id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+]
+
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["cloud.account.id", "user.name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
+value = "now-5d"
 
 

rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/04/12"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/07/09"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -125,4 +125,4 @@ field = "new_terms_fields"
 value = ["cloud.account.id", "user.name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
+value = "now-5d"