Skip to content

[Rule Tuning] Add Missing Metadata to KEEP conditions #5442

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
w0rk3r merged 6 commits into from
Dec 10, 2025
Merged

[Rule Tuning] Add Missing Metadata to KEEP conditions #5442

w0rk3r merged 6 commits into from
Dec 10, 2025

Conversation

@w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Dec 9, 2025
edited
Loading

Issues

Related to:

Summary

Adds _id, _version and _index to the KEEP condition.

@w0rk3r w0rk3r self-assigned this Dec 9, 2025
@w0rk3r w0rk3r added Rule: Tuning tweaking or tuning an existing rule backport: auto labels Dec 9, 2025
@botelastic botelastic bot added Domain: Cloud Integration: AWS AWS related rules Integration: Azure azure related rules labels Dec 9, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2025

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 9, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ AWS S3 Static Site JavaScript File Uploaded (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OIDC Discovery URL Changed in Entra ID (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Line Obfuscation via Whitespace Padding (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Created Access Keys For Another User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Encryption Using External KMS Key (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 9, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ AWS S3 Static Site JavaScript File Uploaded (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OIDC Discovery URL Changed in Entra ID (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Line Obfuscation via Whitespace Padding (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Created Access Keys For Another User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Encryption Using External KMS Key (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@eric-forte-elastic
Copy link
Contributor

eric-forte-elastic commented Dec 9, 2025

I think the rule rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml is missing _version, _index in the keep

@w0rk3r
Copy link
Contributor Author

w0rk3r commented Dec 9, 2025

++ I skipped it initially as I wasn't adding the other 2, I'll add it

@botelastic botelastic bot added bbr Building Block Rules Domain: Endpoint OS: Windows windows related rules labels Dec 9, 2025
@tradebot-elastic
Copy link

tradebot-elastic commented Dec 9, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Static Site JavaScript File Uploaded (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OIDC Discovery URL Changed in Entra ID (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Line Obfuscation via Whitespace Padding (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Invalid Escape Sequences (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Created Access Keys For Another User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Character Array Reconstruction (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Actor Token User Impersonation Abuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Obfuscation via Negative Index String Reversal (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic IEX Reconstruction via Method String Access (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Encryption Using External KMS Key (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Dynamic IEX Reconstruction via Environment Variables (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via String Reordering (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via String Concatenation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via High Numeric Character Proportion (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@w0rk3r
Copy link
Contributor Author

w0rk3r commented Dec 9, 2025

@eric-forte-elastic that one will be addressed by #5439

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 9, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Static Site JavaScript File Uploaded (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OIDC Discovery URL Changed in Entra ID (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Line Obfuscation via Whitespace Padding (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Invalid Escape Sequences (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Created Access Keys For Another User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Character Array Reconstruction (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Actor Token User Impersonation Abuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Obfuscation via Negative Index String Reversal (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic IEX Reconstruction via Method String Access (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Encryption Using External KMS Key (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Dynamic IEX Reconstruction via Environment Variables (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via String Reordering (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via String Concatenation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via High Numeric Character Proportion (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

w0rk3r
w0rk3r commented Dec 9, 2025
View reviewed changes
@tradebot-elastic
Copy link

tradebot-elastic commented Dec 9, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Static Site JavaScript File Uploaded (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OIDC Discovery URL Changed in Entra ID (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Line Obfuscation via Whitespace Padding (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Invalid Escape Sequences (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Created Access Keys For Another User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Character Array Reconstruction (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Actor Token User Impersonation Abuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Obfuscation via Negative Index String Reversal (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic IEX Reconstruction via Method String Access (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Encryption Using External KMS Key (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Dynamic IEX Reconstruction via Environment Variables (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via String Reordering (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via String Concatenation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via High Numeric Character Proportion (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

eric-forte-elastic
eric-forte-elastic approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@eric-forte-elastic eric-forte-elastic left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Manual review, looks good to me! 👍

When this branch and rt_0 are pulled into #5441, the tests there pass.

Details 

detection-rules on  5440-fr-unit-test-for-keep-metadata [!?⇡] is  v1.5.23 via  v3.12.12 (detection-rules-build) on  eric.forte  
❯ git checkout origin/rt_1 -- rules

detection-rules on  5440-fr-unit-test-for-keep-metadata [!?⇡] is  v1.5.23 via  v3.12.12 (detection-rules-build) on  eric.forte 
❯ python -m detection_rules test
Loaded config file: /tmp/detection-rules/.detection-rules-cfg.json
...

tests/test_version_locking.py::TestVersionLock::test_previous_entries_gte_current_min_stack PASSED                                                                                                              [100%]

================================================================================================== warnings summary ===================================================================================================
env/detection-rules-build/lib/python3.12/site-packages/_pytest/config/__init__.py:1303
env/detection-rules-build/lib/python3.12/site-packages/_pytest/config/__init__.py:1303
  /tmp/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/_pytest/config/__init__.py:1303: PytestAssertRewriteWarning: Module already imported so cannot be rewritten; typeguard
    self._mark_plugins_for_rewrite(hook, disable_autoload)

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
=============================================================================== 171 passed, 14 skipped, 2 warnings in 159.82s (0:02:39) ===============================================================================

detection-rules on  5440-fr-unit-test-for-keep-metadata [!?⇡] is  v1.5.23 via  v3.12.12 (detection-rules-build) on  eric.forte took 2m44s

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 10, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Static Site JavaScript File Uploaded (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OIDC Discovery URL Changed in Entra ID (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Line Obfuscation via Whitespace Padding (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Invalid Escape Sequences (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Created Access Keys For Another User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Character Array Reconstruction (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Actor Token User Impersonation Abuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Obfuscation via Negative Index String Reversal (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic IEX Reconstruction via Method String Access (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Encryption Using External KMS Key (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Dynamic IEX Reconstruction via Environment Variables (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via String Reordering (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via String Concatenation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscation via High Numeric Character Proportion (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@w0rk3r w0rk3r merged commit 7a54ae3 into main Dec 10, 2025
13 checks passed
@w0rk3r w0rk3r deleted the rt_1 branch December 10, 2025 01:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Samirbous Samirbous Samirbous approved these changes

@eric-forte-elastic eric-forte-elastic eric-forte-elastic approved these changes

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson

@imays11 imays11 Awaiting requested review from imays11

@Aegrah Aegrah Awaiting requested review from Aegrah

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

Assignees

@w0rk3r w0rk3r

Labels

backport: auto bbr Building Block Rules Domain: Cloud Domain: Endpoint Integration: AWS AWS related rules Integration: Azure azure related rules OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@w0rk3r @tradebot-elastic @eric-forte-elastic @Samirbous