diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml index 1c3a6804e8c..31b65ceebca 100644 --- a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml +++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/30" integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/06/30" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -90,7 +90,7 @@ FROM logs-* metadata _id, _version, _index // more than 100 spaces in process.command_line | eval multi_spaces = LOCATE(process.command_line, space(100)) | where multi_spaces > 0 -| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable +| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable, _id, _version, _index ''' diff --git a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml index c3413dc0f46..df5ae006504 100644 --- a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml +++ b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/02" integration = ["aws"] maturity = "production" -updated_date = "2025/12/02" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -201,7 +201,10 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index Esql.aws_cloudtrail_request_parameters_target_bucket_name, Esql.aws_cloudtrail_request_parameters_target_object_key, Esql.aws_cloudtrail_request_parameters_kms_key_account_id, - Esql.aws_cloudtrail_request_parameters_kms_key_id + Esql.aws_cloudtrail_request_parameters_kms_key_id, + _id, + _version, + _index ''' diff --git a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml index c54d42b1ba9..743ff129052 100644 --- a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml +++ b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["aws"] maturity = "production" -updated_date = "2025/10/28" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -113,7 +113,10 @@ from logs-aws.cloudtrail* metadata _id, _version, _index user_agent.original, source.ip, event.action, - @timestamp + @timestamp, + _id, + _version, + _index ''' diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index 91b3726215e..f11cdceaa90 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/13" integration = ["aws"] maturity = "production" -updated_date = "2025/10/13" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -156,7 +156,10 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, aws.cloudtrail.user_identity.access_key_id, - source.geo.* + source.geo.*, + _id, + _version, + _index ''' diff --git a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml index 926d177f74f..1ef19b65dbd 100644 --- a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml +++ b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["azure"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -93,12 +93,14 @@ from logs-azure.auditlogs-* metadata _id, _version, _index azure.auditlogs.operation_name != "Set directory feature on tenant" and azure.auditlogs.properties.initiated_by.user.userPrincipalName rlike ".+@[A-Za-z0-9.]+\\.[A-Za-z]{2,}" | keep - _id, @timestamp, azure.*, client.*, event.*, - source.* + source.*, + _id, + _version, + _index ''' diff --git a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml index b2d9420100a..c566be8931a 100644 --- a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml +++ b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -81,7 +81,10 @@ from logs-azure.auditlogs-* metadata _id, _version, _index source.geo.region_name, source.geo.country_name, Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new, - Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old + Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old, + _id, + _version, + _index ''' diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml index 671bf30d410..9f5e4004a80 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -111,6 +111,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml index 0104a7a1a7f..143799eb82d 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -109,6 +109,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml index 9e983b7d5c6..336faa5d7e3 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -110,6 +110,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml index ac8390f4b24..7fad3b25bc8 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -106,6 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml index 1b3b5170366..48488f670db 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -112,6 +112,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml index a8c07a25e1c..a839d149a57 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -111,6 +111,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml index 9a885437d55..b7612942b37 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -113,6 +113,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml index 04b16ab68d1..a18b3f9a20e 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -113,6 +113,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml index 8f1bf0ec99f..fb021a93f20 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -109,6 +109,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, agent.id diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml index 8d1ecac4883..4e0ad308454 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -111,6 +111,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml index d7de0ffcefb..a803bad5e82 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/03" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -111,6 +111,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml index 16161866a32..d311452fe44 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -118,6 +118,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml index dc029ef4643..42e6bd388e5 100644 --- a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml +++ b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -79,6 +79,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id,