Merge branch 'main' into new-rule-potential-lfi-request

shashank-elastic · web-flow · commit e34efb022f11 · 2025-12-04T18:42:59.000+05:30
diff --git a/detection_rules/config.py b/detection_rules/config.py
@@ -227,7 +227,7 @@ def parse_rules_config(path: Path | None = None) -> RulesConfig:  # noqa: PLR091
             raise ValueError(f"rules config file does not exist: {path}")
         loaded = yaml.safe_load(path.read_text())
     elif CUSTOM_RULES_DIR:
-        path = Path(CUSTOM_RULES_DIR) / "_config.yaml"
+        path = Path(CUSTOM_RULES_DIR).expanduser() / "_config.yaml"
         if not path.exists():
             raise FileNotFoundError(
                 """
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
@@ -145,7 +145,7 @@
     "kibana.alert.rule.threat.tactic.id": "keyword",
     "kibana.alert.workflow_status": "keyword",
     "kibana.alert.rule.rule_id": "keyword",
-    "kibana.alert.rule.name": "keyword", 
+    "kibana.alert.rule.name": "keyword",
     "kibana.alert.risk_score": "long",
     "kibana.alert.rule.type": "keyword",
     "kibana.alert.rule.threat.tactic.name": "keyword"
@@ -237,7 +237,8 @@
      "o365.audit.ExtendedProperties.ResultStatusDetail": "keyword",
      "o365.audit.OperationProperties.Name": "keyword",
      "o365.audit.OperationProperties.Value": "keyword",
-     "o365.audit.OperationCount": "long"
+     "o365.audit.OperationCount": "long",
+     "o365.audit.AppAccessContext.AADSessionId": "keyword"
   },
   "logs-okta*": {
     "okta.debug_context.debug_data.flattened.requestedScopes": "keyword",
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.18"
+version = "1.5.19"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/04/12"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/25"
 
 [rule]
 author = ["Elastic"]
@@ -23,13 +23,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
-name = "AWS Redshift Cluster Creation"
+name = "Deprecated - AWS Redshift Cluster Creation"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating AWS Redshift Cluster Creation
+### Investigating Deprecated - AWS Redshift Cluster Creation
 
 Amazon Redshift is a data warehousing service that allows for scalable data storage and analysis. In a secure environment, only authorized users should create Redshift clusters. Adversaries might exploit misconfigured permissions to create clusters, potentially leading to data exfiltration or unauthorized data processing. The detection rule monitors for successful cluster creation events, especially by non-admin users, to identify potential misuse or misconfigurations.
 
diff --git a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml
@@ -0,0 +1,134 @@
+[metadata]
+creation_date = "2025/12/02"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/12/02"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies concurrent Entra ID sign-in events for the same user and session from multiple sources, and where one of the
+authentication event has some suspicious properties often associated to DeviceCode and OAuth phishing. Adversaries may
+steal Refresh Tokens (RTs) via phishing to bypass multi-factor authentication (MFA) and gain unauthorized access to
+Azure resources.
+"""
+false_positives = [
+    """
+    Users authenticating from multiple devices and using the deviceCode protocol or the Visual Studio Code client.
+    """,
+]
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode"
+note = """## Triage and analysis
+
+### Investigating Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode
+
+### Possible investigation steps
+
+- Review the sign-in logs to assess the context and reputation of the source.ip address.
+- Investigate the user account associated with the successful sign-in to determine if the activity aligns with expected behavior or if it appears suspicious.
+- Check for any recent changes or anomalies in the user's account settings or permissions that could indicate compromise.
+- Review the history of sign-ins for the user to identify any patterns or unusual access times that could suggest unauthorized access.
+- Assess the device from which the sign-in was attempted to ensure it is a recognized and authorized device for the user.
+
+### Response and remediation
+
+- Immediately revoke the compromised Primary Refresh Tokens (PRTs) to prevent further unauthorized access. This can be done through the Azure portal by navigating to the user's account and invalidating all active sessions.
+- Enforce a password reset for the affected user accounts to ensure that any credentials potentially compromised during the attack are no longer valid.
+- Implement additional Conditional Access policies that require device compliance checks and restrict access to trusted locations or devices only, to mitigate the risk of future PRT abuse.
+- Conduct a thorough review of the affected accounts' recent activity logs to identify any unauthorized actions or data access that may have occurred during the compromise.
+- Escalate the incident to the security operations team for further investigation and to determine if there are any broader implications or additional compromised accounts.
+- Enhance monitoring by configuring alerts for unusual sign-in patterns or device code authentication attempts from unexpected locations or devices, to improve early detection of similar threats.
+- Coordinate with the incident response team to perform a post-incident analysis and update the incident response plan with lessons learned from this event."""
+references = [
+    "https://learn.microsoft.com/en-us/entra/identity/",
+    "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins",
+    "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema",
+    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
+    "https://www.wiz.io/blog/recent-oauth-attacks-detection-strategies"
+]
+risk_score = 73
+rule_id = "3db029b3-fbb7-4697-ad07-33cbfd5bd080"
+setup = """#### Required Azure Entra Sign-In Logs
+This rule requires the Azure logs integration be enabled and configured to collect all logs, including sign-in logs from Entra. In Entra, sign-in logs must be enabled and streaming to the Event Hub used for the Azure logs integration.
+"""
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Domain: Identity",
+    "Data Source: Azure",
+    "Data Source: Entra ID",
+    "Data Source: Entra ID Sign-in",
+    "Use Case: Identity and Access Audit",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-azure.signinlogs-* metadata _id, _version, _index
+
+| where event.category == "authentication" and event.dataset == "azure.signinlogs" and
+        azure.signinlogs.properties.original_transfer_method == "deviceCodeFlow"
+
+| Eval Esql.interactive_logon = CASE(azure.signinlogs.category == "SignInLogs", source.ip, null),
+       Esql.non_interactive_logon = CASE(azure.signinlogs.category ==  "NonInteractiveUserSignInLogs", source.ip, null)
+
+| stats Esql.count_logon = count(*),
+        Esql.timestamp_values = values(@timestamp),
+        Esql.source_ip_count_distinct = count_distinct(source.ip),
+        Esql.is_interactive = count(Esql.interactive_logon),
+        Esql.is_non_interactive = count(Esql.non_interactive_logon),
+        Esql.user_agent_count_distinct = COUNT_DISTINCT(user_agent.original),
+        Esql.user_agent_values = VALUES(user_agent.original),
+        Esql.azure_signinlogs_properties_client_app_values = values(azure.signinlogs.properties.app_display_name),
+        Esql.azure_signinlogs_properties_client_app_values = values(azure.signinlogs.properties.app_id),
+        Esql.azure_signinlogs_properties_resource_display_name_values = values(azure.signinlogs.properties.resource_display_name),
+        Esql.azure_signinlogs_properties_auth_requirement_values = values(azure.signinlogs.properties.authentication_requirement),
+        Esql.azure_signinlogs_properties_tenant_id = values(azure.tenant_id),
+        Esql.azure_signinlogs_properties_status_error_code_values = values(azure.signinlogs.properties.status.error_code),
+        Esql.message_values = values(message),
+        Esql.azure_signinlogs_properties_resource_id_values = values(azure.signinlogs.properties.resource_id),
+        Esql.source_ip_values = VALUES(source.ip) by azure.signinlogs.properties.session_id, azure.signinlogs.identity
+
+| where Esql.is_interactive >= 2 and Esql.is_non_interactive >= 1 and (Esql.source_ip_count_distinct >= 2 or Esql.user_agent_count_distinct >= 2)
+| keep
+       Esql.*,
+       azure.signinlogs.properties.session_id,
+       azure.signinlogs.identity
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1528"
+name = "Steal Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1528/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.002"
+name = "Spearphishing Link"
+reference = "https://attack.mitre.org/techniques/T1566/002/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/02/19"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/11/25"
 
 [rule]
 author = ["Elastic"]
@@ -83,28 +83,38 @@ type = "esql"
 query = '''
 from logs-o365.audit-*
 | where
-    @timestamp > now() - 14d and
     event.dataset == "o365.audit" and
     event.provider == "OneDrive" and
     event.action == "FileDownloaded" and
     o365.audit.AuthenticationType == "OAuth" and
     event.outcome == "success"
-| eval
-    Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
-| keep
-    Esql.time_window_date_trunc,
-    o365.audit.UserId,
-    file.name,
-    source.ip
+    and (user.id is not null and o365.audit.ApplicationId is not null)
+| eval session.id = coalesce(o365.audit.AppAccessContext.AADSessionId, session.id, null)
+| where session.id is not null
+| eval Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
 | stats
+    Esql.file_directory_values = values(file.directory),
+    Esql.file_extension_values = values(file.extension),
+    Esql.application_name_values = values(application.name),
     Esql.file_name_count_distinct = count_distinct(file.name),
+    Esql.o365_audit_Site_values = values(o365.audit.Site),
+    Esql.o365_audit_SiteUrl_values = values(o365.audit.SiteUrl),
+    Esql.user_domain_values = values(user.domain),
+    Esql.token_id_values = values(token.id),
     Esql.event_count = count(*)
-  by
+by
     Esql.time_window_date_trunc,
-    o365.audit.UserId,
-    source.ip
-| where
-    Esql.file_name_count_distinct >= 25
+    user.id,
+    session.id,
+    source.ip,
+    o365.audit.ApplicationId
+| where Esql.file_name_count_distinct >= 25
+| keep
+    Esql.*,
+    user.id,
+    source.ip,
+    o365.audit.ApplicationId,
+    session.id
 '''
 
 
diff --git a/tests/base.py b/tests/base.py
@@ -26,7 +26,7 @@
 def load_rules() -> RuleCollection:
     if CUSTOM_RULES_DIR:
         rc = RuleCollection()
-        path = Path(CUSTOM_RULES_DIR)
+        path = Path(CUSTOM_RULES_DIR).expanduser()
         assert path.exists(), f"Custom rules directory {path} does not exist"
         rc.load_directories(directories=RULES_CONFIG.rule_dirs)
         rc.freeze()
@@ -62,7 +62,7 @@ def setUpClass(cls):
                 RULE_LOADER_FAIL = True
                 RULE_LOADER_FAIL_MSG = str(e)
 
-        cls.custom_dir = Path(CUSTOM_RULES_DIR).resolve() if CUSTOM_RULES_DIR else None
+        cls.custom_dir = Path(CUSTOM_RULES_DIR).expanduser().resolve() if CUSTOM_RULES_DIR else None
         cls.rules_config = RULES_CONFIG
 
     @staticmethod
