Merge branch 'main' into terrancedejesus/issue5344

Author: terrancedejesus

detection_rules/etc/integration-manifests.json.gz

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.13"
+version = "1.5.14"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

detection_rules/etc/integration-schemas.json.gz

@@ -0,0 +1,76 @@
+[metadata]
+creation_date = "2025/11/18"
+integration = ["endpoint", "panw"]
+maturity = "production"
+updated_date = "2025/11/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify
+the source process performing the network activity.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "PANW and Elastic Defend - Command and Control Correlation"
+references = [
+    "https://attack.mitre.org/tactics/TA0011/",
+    "https://www.elastic.co/docs/reference/integrations/panw",
+    "https://www.elastic.co/docs/reference/integrations/endpoint"
+]
+risk_score = 47
+rule_id = "da4f56b8-9bc5-4003-a46c-d23616fbc691"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Data Source: PAN-OS",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+query = '''
+sequence by source.port, source.ip, destination.ip with maxspan=1m
+ [network where event.module == "panw" and event.action == "c2_communication"]
+ [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
+'''
+note = """## Triage and analysis
+
+### Investigating PANW and Elastic Defend - Command and Control Correlation
+
+### Possible investigation steps
+
+- Investigate in the Timeline feature the two events matching this correlation (PANW and Elastic Defend).
+- Review the process details like command_line, privileges, global relevance and reputation.
+- Assess the destination.ip reputation and global relevance.
+- Review the parent process execution details like command_line, global relevance and reputation.
+- Examine all network connection details performed by the process during last 48h.
+- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
+
+### False positive analysis
+
+- Trusted system or third party processes performing network activity that looks like beaconing.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate the suspicious processes and all associated children and parents.
+- Implement network-level controls to block traffic to the destination.ip.
+- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
+- Reset credentials for any accounts associated with the source machine.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+"""
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

pyproject.toml

@@ -0,0 +1,85 @@
+[metadata]
+creation_date = "2025/11/17"
+integration = ["endpoint", "fortinet_fortigate"]
+maturity = "production"
+updated_date = "2025/11/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
+source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
+or act as an intermediary for network communications to a command and control server to avoid direct connections to their
+infrastructure.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-fortinet_fortigate.log-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "SOCKS Traffic from an Unusual Process"
+references = [
+    "https://attack.mitre.org/techniques/T1090/",
+    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
+    "https://www.elastic.co/docs/reference/integrations/endpoint"
+]
+risk_score = 47
+rule_id = "6926b708-7964-425f-bed8-6e006379df08"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Data Source: Fortinet",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+query = '''
+sequence by source.port, source.ip, destination.ip with maxspan=1m
+ [network where event.dataset == "fortinet_fortigate.log" and event.action == "signature" and network.application in ("SOCKS4", "SOCKS5")]
+ [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
+'''
+note = """## Triage and analysis
+
+### Investigating SOCKS Traffic from an Unusual Process
+
+### Possible investigation steps
+
+- Review the process details like command_line, privileges, global relevance and reputation.
+- Review the parent process execution details like command_line, global relevance and reputation.
+- Examine all network connection details performed by the process during last 48h.
+- Examine all localhost network connections performed by the same process to verify if there is any port forwarding with another process on the same machine.
+- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
+
+### False positive analysis
+
+- Browser proxy extensions and Add-ons.
+- Development and deployment tools.
+- Third party trusted tools using SOCKS for network communication.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate the suspicious processes and all associated children and parents.
+- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
+- Reset credentials for any accounts associated with the source machine.
+- Implement network-level controls to block traffic via SOCKS unless authorized.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+"""
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1090"
+name = "Proxy"
+reference = "https://attack.mitre.org/techniques/T1090/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/07/14"
+integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/13"
 
 [rule]
 author = ["Elastic"]
@@ -17,19 +18,22 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-*", "metrics-*", "traces-*"]
-language = "kuery"
+language = "esql"
 license = "Elastic License v2"
 name = "Agent Spoofing - Multiple Hosts Using Same Agent"
 risk_score = 73
 rule_id = "493834ca-f861-414c-8602-150d5505b777"
 severity = "high"
 tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
-type = "threshold"
+type = "esql"
 
 query = '''
-event.agent_id_status:* and not tags:forwarded
+from logs-endpoint.*  metadata _id
+| where event.agent_id_status is not null 
+| stats Esql.count_distinct_host_ids = count_distinct(host.id), Esql.host_id_values = values(host.id), Esql.user_id_values_user_id = values(user.id) by agent.id
+| where Esql.count_distinct_host_ids >= 2
+| keep Esql.count_distinct_host_ids, Esql.host_id_values, Esql.user_id_values_user_id, agent.id
 '''
 note = """## Triage and analysis
 
@@ -80,11 +84,4 @@ id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
 
-[rule.threshold]
-field = ["agent.id"]
-value = 2
-[[rule.threshold.cardinality]]
-field = "host.id"
-value = 2
-
 

rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

@@ -2,11 +2,16 @@
 creation_date = "2021/07/19"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/18"
 
 [rule]
 author = ["Austin Songer"]
-description = "Identifies when an ElastiCache security group has been created."
+description = """
+Identifies when an ElastiCache security group has been created. Amazon EC2-Classic and ElastiCache CacheSecurityGroups
+have been retired. Modern ElastiCache deployments run in a VPC and use standard EC2 security groups instead. This rule
+should be retained only for historical log analysis on legacy CloudTrail data. We recommend relying on "AWS EC2 Security
+Group Configuration Change" rule for network-control changes impacting ElastiCache in VPC-based deployments.
+"""
 false_positives = [
     """
     A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity,
@@ -20,13 +25,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
-name = "AWS ElastiCache Security Group Created"
+name = "Deprecated - AWS ElastiCache Security Group Created"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating AWS ElastiCache Security Group Created
+### Investigating Deprecated - AWS ElastiCache Security Group Created
 
 AWS ElastiCache security groups control access to cache clusters, ensuring only authorized traffic can interact with them. Adversaries might create new security groups to bypass existing restrictions, facilitating unauthorized access or data exfiltration. The detection rule monitors for successful creation events of these groups, signaling potential defense evasion tactics by identifying unusual or unauthorized configurations.
 
@@ -66,7 +71,13 @@ references = [
 risk_score = 21
 rule_id = "7b3da11a-60a2-412e-8aa7-011e1eb9ed47"
 severity = "low"
-tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml

@@ -2,11 +2,17 @@
 creation_date = "2021/07/19"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/18"
 
 [rule]
 author = ["Austin Songer"]
-description = "Identifies when an ElastiCache security group has been modified or deleted."
+description = """
+Identifies when an ElastiCache security group has been modified or deleted. Amazon EC2-Classic and ElastiCache
+CacheSecurityGroups have been retired. Modern ElastiCache deployments run in a VPC and use standard EC2 security groups
+instead. This rule should be retained only for historical log analysis on legacy CloudTrail data. We recommend relying
+on "AWS EC2 Security Group Configuration Change" rule for network-control changes impacting ElastiCache in VPC-based
+deployments.
+"""
 false_positives = [
     """
     A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user
@@ -20,13 +26,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
-name = "AWS ElastiCache Security Group Modified or Deleted"
+name = "Deprecated - AWS ElastiCache Security Group Modified or Deleted"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating AWS ElastiCache Security Group Modified or Deleted
+### Investigating Deprecated - AWS ElastiCache Security Group Modified or Deleted
 
 AWS ElastiCache security groups control inbound and outbound traffic to cache clusters, ensuring only authorized access. Adversaries may modify or delete these groups to bypass security controls, facilitating unauthorized data access or exfiltration. The detection rule monitors specific API actions related to security group changes, flagging successful modifications or deletions as potential defense evasion attempts.
 
@@ -64,7 +70,13 @@ references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference
 risk_score = 21
 rule_id = "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516"
 severity = "low"
-tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"