Merge branch 'main' into terrancedejesus/issue5435

Author: terrancedejesus

.github/stale.yml

@@ -12,6 +12,8 @@ onlyLabels: []
 exemptLabels:
   - bug
   - backlog
+  - "Rule: Tuning"
+  - "Rule: New"
 
 # Set to true to ignore issues in a project (defaults to false)
 exemptProjects: false

rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/06/30"
 integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/06/30"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -90,7 +90,7 @@ FROM logs-* metadata _id, _version, _index
 // more than 100 spaces in process.command_line
 | eval multi_spaces = LOCATE(process.command_line, space(100)) 
 | where multi_spaces > 0 
-| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable
+| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable, _id, _version, _index
 '''
 
 

rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/07/02"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/12/02"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -201,7 +201,10 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
   Esql.aws_cloudtrail_request_parameters_target_bucket_name,
   Esql.aws_cloudtrail_request_parameters_target_object_key,
   Esql.aws_cloudtrail_request_parameters_kms_key_account_id,
-  Esql.aws_cloudtrail_request_parameters_kms_key_id
+  Esql.aws_cloudtrail_request_parameters_kms_key_id,
+  _id,
+  _version,
+  _index
 '''
 
 

rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/10/28"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -113,7 +113,10 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
     user_agent.original,
     source.ip,
     event.action,
-    @timestamp
+    @timestamp,
+    _id,
+    _version,
+    _index
 '''
 
 

rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/06/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/10/13"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -156,7 +156,10 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
     aws.cloudtrail.user_identity.arn,
     aws.cloudtrail.user_identity.type,
     aws.cloudtrail.user_identity.access_key_id,
-    source.geo.*
+    source.geo.*,
+    _id,
+    _version,
+    _index
 '''
 
 

rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/09/18"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/18"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -93,12 +93,14 @@ from logs-azure.auditlogs-* metadata _id, _version, _index
   azure.auditlogs.operation_name != "Set directory feature on tenant"
   and azure.auditlogs.properties.initiated_by.user.userPrincipalName rlike ".+@[A-Za-z0-9.]+\\.[A-Za-z]{2,}"
 | keep
-    _id,
     @timestamp,
     azure.*,
     client.*,
     event.*,
-    source.*
+    source.*,
+    _id,
+    _version,
+    _index
 '''
 
 

rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/07/14"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -81,7 +81,10 @@ from logs-azure.auditlogs-* metadata _id, _version, _index
     source.geo.region_name,
     source.geo.country_name,
     Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new,
-    Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old
+    Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old,
+    _id,
+    _version,
+    _index
 '''
 
 

rules/windows/defense_evasion_masquerading_as_svchost.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/11/12"
 integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2025/12/05"
+updated_date = "2025/12/09"
 min_stack_version = "9.1.0"
 min_stack_comments = "The esql match operator was introduced in version 9.1.0"
 
@@ -72,10 +72,10 @@ query = '''
 FROM logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-* metadata _id, _version, _index
 | where event.category == "process" and event.type == "start" and
   match(process.name, "svchost.exe", { "fuzziness": 1, "max_expansions": 10 }) and
-  not process.executable in ("C:\\Windows\\SysWOW64\\svchost.exe", "C:\\Windows\\System32\\svchost.exe") and
-  not process.executable like """\\Device\\HarddiskVolume*\\Windows\\System32\\svchost.exe""" and
-  not process.executable like """\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\svchost.exe"""
-| keep event.dataset, host.name, host.id, user.id, user.name, process.executable, process.parent.executable, process.command_line
+  not to_lower(process.executable) in ("c:\\windows\\syswow64\\svchost.exe", "c:\\windows\\system32\\svchost.exe") and
+  not to_lower(process.executable) like """\\device\\harddiskvolume*\\windows\\system32\\svchost.exe""" and
+  not to_lower(process.executable) like """\\device\\harddiskvolume*\\windows\\syswow64\\svchost.exe""" 
+| keep event.dataset, host.name, host.id, user.id, user.name, process.executable, process.parent.executable, process.command_line, _id, _version, _index
 '''
 
 

rules/windows/defense_evasion_posh_obfuscation_backtick.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -111,6 +111,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.sequence,
     powershell.total,
     _id,
+    _version,
     _index,
     host.name,
     agent.id,

rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -109,6 +109,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.sequence,
     powershell.total,
     _id,
+    _version,
     _index,
     host.name,
     agent.id,