Merge branch 'main' into web-server-rule-tuning

Author: Aegrah

.github/stale.yml

@@ -12,6 +12,8 @@ onlyLabels: []
 exemptLabels:
   - bug
   - backlog
+  - "Rule: Tuning"
+  - "Rule: New"
 
 # Set to true to ignore issues in a project (defaults to false)
 exemptProjects: false

rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/06/30"
 integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/06/30"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -90,7 +90,7 @@ FROM logs-* metadata _id, _version, _index
 // more than 100 spaces in process.command_line
 | eval multi_spaces = LOCATE(process.command_line, space(100)) 
 | where multi_spaces > 0 
-| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable
+| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable, _id, _version, _index
 '''
 
 

rules/cross-platform/initial_access_azure_o365_with_network_alert.toml

@@ -2,12 +2,12 @@
 creation_date = "2025/04/29"
 integration = ["azure", "o365"]
 maturity = "production"
-updated_date = "2025/07/30"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule correlate Azure or Office 356 mail successful sign-in events with network security alerts by source.ip.
+This rule correlate Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address.
 Adversaries may trigger some network security alerts such as reputation or other anomalies before accessing cloud
 resources.
 """
@@ -19,10 +19,10 @@ false_positives = [
 from = "now-60m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft 365 or Entra ID Sign-in from a Suspicious Source"
+name = "M365 or Entra ID Identity Sign-in from a Suspicious Source"
 note = """## Triage and analysis
 
-### Investigating Microsoft 365 or Entra ID Sign-in from a Suspicious Source
+### Investigating M365 or Entra ID Identity Sign-in from a Suspicious Source
 
 #### Possible investigation steps
 
@@ -82,7 +82,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
 | where @timestamp > now() - 8 hours
 // filter for azure or m365 sign-in and external alerts with source.ip not null
 | where to_ip(source.ip) is not null
-  and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.name == "External Alerts")
+  and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa")
   and not cidr_match(
     to_ip(source.ip),
     "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
@@ -93,13 +93,13 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
   )
 
 // capture relevant raw fields
-| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.name, event.category
+| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.rule_id, event.category
 
 // classify each source ip based on alert type
 | eval
   Esql.source_ip_mail_access_case = case(event.dataset == "o365.audit" and event.action == "MailItemsAccessed" and event.outcome == "success", to_ip(source.ip), null),
   Esql.source_ip_azure_signin_case = case(event.dataset == "azure.signinlogs" and event.outcome == "success", to_ip(source.ip), null),
-  Esql.source_ip_network_alert_case = case(kibana.alert.rule.name == "external alerts" and not event.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null)
+  Esql.source_ip_network_alert_case = case(kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa" and not event.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null)
 
 // aggregate by source ip
 | stats
@@ -109,7 +109,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
     Esql.source_ip_network_alert_case_count_distinct = count_distinct(Esql.source_ip_network_alert_case),
     Esql.event_dataset_count_distinct = count_distinct(event.dataset),
     Esql.event_dataset_values = values(event.dataset),
-    Esql.kibana_alert_rule_name_values = values(kibana.alert.rule.name),
+    Esql.kibana_alert_rule_id_values = values(kibana.alert.rule.rule_id),
     Esql.event_category_values = values(event.category)
   by Esql.source_ip = to_ip(source.ip)
 

rules/cross-platform/initial_access_execution_susp_react_serv_child.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/08"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -101,12 +101,11 @@ process where event.type == "start" and event.action in ("exec", "executed", "st
 )
 and (
   ?process.working_directory : (
-    "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*--experimental-https*", "*app/server*",
-    "*.pnpm/next*", "*/app/*", "*next/dist/server*", "*react-scripts*") or
+    "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*.pnpm/next*", "*next/dist/server*", "*react-scripts*") or
   (
     process.parent.name in ("node", "bun", "node.exe", "bun.exe") and
     process.parent.command_line : (
-      "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*next-server*", "*server.js*", "*bin/next*",
+      "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*next-server*", "* server.js*",  "*start-server.js*", "*bin/next*",
       "*--experimental-https*", "*app/server*", "*.pnpm/next*", "*next start*", "*next dev*", "*react-scripts start*", "*next/dist/server*"
     )
   )

rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/07/02"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/12/02"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -201,7 +201,10 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
   Esql.aws_cloudtrail_request_parameters_target_bucket_name,
   Esql.aws_cloudtrail_request_parameters_target_object_key,
   Esql.aws_cloudtrail_request_parameters_kms_key_account_id,
-  Esql.aws_cloudtrail_request_parameters_kms_key_id
+  Esql.aws_cloudtrail_request_parameters_kms_key_id,
+  _id,
+  _version,
+  _index
 '''
 
 

rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/10/28"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -113,7 +113,10 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
     user_agent.original,
     source.ip,
     event.action,
-    @timestamp
+    @timestamp,
+    _id,
+    _version,
+    _index
 '''
 
 

rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/06/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/10/13"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -156,7 +156,10 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
     aws.cloudtrail.user_identity.arn,
     aws.cloudtrail.user_identity.type,
     aws.cloudtrail.user_identity.access_key_id,
-    source.geo.*
+    source.geo.*,
+    _id,
+    _version,
+    _index
 '''
 
 

…harepoint_access_for_user_principal.toml …harepoint_access_for_user_principal.tomlrules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml renamed to rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml renamed to rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/05/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/07"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -30,10 +30,10 @@ from = "now-9m"
 index = ["logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker"
+name = "Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID SharePoint Access for User Principal via Auth Broker
+### Investigating Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client
 
 This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions.
 

rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/05/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/08"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -18,10 +18,10 @@ from = "now-9m"
 index = ["logs-azure.graphactivitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Suspicious Email Access by First-Party Application via Microsoft Graph"
+name = "Microsoft Graph Request Email Access by Unusual User and Client"
 note = """## Triage and analysis
 
-### Investigating Suspicious Email Access by First-Party Application via Microsoft Graph
+### Investigating Microsoft Graph Request Email Access by Unusual User and Client
 
 This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related APIs, such as `/me/messages`, `/sendMail`, or `/mailFolders/inbox/messages`. These accesses are performed via delegated user credentials using common OAuth scopes like `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, or `email`. This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`) and user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) have not been seen doing this activity in the last 14 days.
 

rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/12/02"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/12/02"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -20,10 +20,10 @@ false_positives = [
 from = "now-9m"
 language = "esql"
 license = "Elastic License v2"
-name = "Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode"
+name = "Entra ID OAuth Device Code Flow with Concurrent Sign-ins"
 note = """## Triage and analysis
 
-### Investigating Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode
+### Investigating Entra ID OAuth Device Code Flow with Concurrent Sign-ins
 
 ### Possible investigation steps