From a1d1f245e21889d07c75b5fbd8ce8b724e83afa9 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 9 Dec 2025 16:40:30 -0300 Subject: [PATCH 1/5] [Rule Tuning] Add Missing Metadata to KEEP conditions --- .../defense_evasion_whitespace_padding_command_line.toml | 4 ++-- .../aws/impact_s3_object_encryption_with_external_key.toml | 5 +++-- .../aws/impact_s3_static_site_js_file_uploaded.toml | 5 +++-- ...stence_iam_user_created_access_keys_for_another_user.toml | 5 +++-- .../persistence_entra_id_oidc_discovery_url_change.toml | 5 +++-- 5 files changed, 14 insertions(+), 10 deletions(-) diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml index 1c3a6804e8c..5c44d61f21c 100644 --- a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml +++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/30" integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/06/30" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -90,7 +90,7 @@ FROM logs-* metadata _id, _version, _index // more than 100 spaces in process.command_line | eval multi_spaces = LOCATE(process.command_line, space(100)) | where multi_spaces > 0 -| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable +| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable, _id ''' diff --git a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml index c3413dc0f46..19ff86937b0 100644 --- a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml +++ b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/02" integration = ["aws"] maturity = "production" -updated_date = "2025/12/02" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -201,7 +201,8 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index Esql.aws_cloudtrail_request_parameters_target_bucket_name, Esql.aws_cloudtrail_request_parameters_target_object_key, Esql.aws_cloudtrail_request_parameters_kms_key_account_id, - Esql.aws_cloudtrail_request_parameters_kms_key_id + Esql.aws_cloudtrail_request_parameters_kms_key_id, + _id ''' diff --git a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml index c54d42b1ba9..527bac667a2 100644 --- a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml +++ b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["aws"] maturity = "production" -updated_date = "2025/10/28" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -113,7 +113,8 @@ from logs-aws.cloudtrail* metadata _id, _version, _index user_agent.original, source.ip, event.action, - @timestamp + @timestamp, + _id ''' diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index 91b3726215e..93a44b17e6f 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/13" integration = ["aws"] maturity = "production" -updated_date = "2025/10/13" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -156,7 +156,8 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, aws.cloudtrail.user_identity.access_key_id, - source.geo.* + source.geo.*, + _id ''' diff --git a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml index b2d9420100a..210354c3cf1 100644 --- a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml +++ b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/12/09" [rule] author = ["Elastic"] @@ -81,7 +81,8 @@ from logs-azure.auditlogs-* metadata _id, _version, _index source.geo.region_name, source.geo.country_name, Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new, - Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old + Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old, + _id ''' From ffbd49899ded72a20f628dd71ff1a2be66de7ece Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 9 Dec 2025 17:52:35 -0300 Subject: [PATCH 2/5] Add them all --- .../defense_evasion_whitespace_padding_command_line.toml | 2 +- .../aws/impact_s3_object_encryption_with_external_key.toml | 4 +++- .../aws/impact_s3_static_site_js_file_uploaded.toml | 4 +++- ...istence_iam_user_created_access_keys_for_another_user.toml | 4 +++- .../azure/persistence_entra_id_oidc_discovery_url_change.toml | 4 +++- 5 files changed, 13 insertions(+), 5 deletions(-) diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml index 5c44d61f21c..31b65ceebca 100644 --- a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml +++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml @@ -90,7 +90,7 @@ FROM logs-* metadata _id, _version, _index // more than 100 spaces in process.command_line | eval multi_spaces = LOCATE(process.command_line, space(100)) | where multi_spaces > 0 -| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable, _id +| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable, _id, _version, _index ''' diff --git a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml index 19ff86937b0..df5ae006504 100644 --- a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml +++ b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml @@ -202,7 +202,9 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index Esql.aws_cloudtrail_request_parameters_target_object_key, Esql.aws_cloudtrail_request_parameters_kms_key_account_id, Esql.aws_cloudtrail_request_parameters_kms_key_id, - _id + _id, + _version, + _index ''' diff --git a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml index 527bac667a2..743ff129052 100644 --- a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml +++ b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml @@ -114,7 +114,9 @@ from logs-aws.cloudtrail* metadata _id, _version, _index source.ip, event.action, @timestamp, - _id + _id, + _version, + _index ''' diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index 93a44b17e6f..f11cdceaa90 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -157,7 +157,9 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index aws.cloudtrail.user_identity.type, aws.cloudtrail.user_identity.access_key_id, source.geo.*, - _id + _id, + _version, + _index ''' diff --git a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml index 210354c3cf1..c566be8931a 100644 --- a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml +++ b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml @@ -82,7 +82,9 @@ from logs-azure.auditlogs-* metadata _id, _version, _index source.geo.country_name, Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new, Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old, - _id + _id, + _version, + _index ''' From cc42fafb705831aaf4b950a883170e4e37a49dba Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 9 Dec 2025 18:05:44 -0300 Subject: [PATCH 3/5] ++ --- ...ccess_entra_id_actor_token_user_impersonation_abuse.toml | 6 ++++-- .../windows/defense_evasion_posh_obfuscation_backtick.toml | 1 + .../defense_evasion_posh_obfuscation_backtick_var.toml | 1 + .../defense_evasion_posh_obfuscation_char_arrays.toml | 1 + .../defense_evasion_posh_obfuscation_concat_dynamic.toml | 1 + ...nse_evasion_posh_obfuscation_high_number_proportion.toml | 1 + ...vasion_posh_obfuscation_iex_env_vars_reconstruction.toml | 1 + ..._evasion_posh_obfuscation_iex_string_reconstruction.toml | 1 + .../defense_evasion_posh_obfuscation_index_reversal.toml | 1 + .../defense_evasion_posh_obfuscation_reverse_keyword.toml | 1 + .../defense_evasion_posh_obfuscation_string_concat.toml | 1 + .../defense_evasion_posh_obfuscation_string_format.toml | 1 + ...sion_posh_obfuscation_whitespace_special_proportion.toml | 1 + ...e_evasion_posh_obfuscation_proportion_special_chars.toml | 1 + 14 files changed, 17 insertions(+), 2 deletions(-) diff --git a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml index 926d177f74f..d00ff6b601d 100644 --- a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml +++ b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml @@ -93,12 +93,14 @@ from logs-azure.auditlogs-* metadata _id, _version, _index azure.auditlogs.operation_name != "Set directory feature on tenant" and azure.auditlogs.properties.initiated_by.user.userPrincipalName rlike ".+@[A-Za-z0-9.]+\\.[A-Za-z]{2,}" | keep - _id, @timestamp, azure.*, client.*, event.*, - source.* + source.*, + _id, + _version, + _index ''' diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml index 671bf30d410..f0957f26739 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml @@ -111,6 +111,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml index 0104a7a1a7f..bb0e9971737 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml @@ -109,6 +109,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml index 9e983b7d5c6..ec8ff018aa5 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml @@ -110,6 +110,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml index ac8390f4b24..585163eefcc 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml @@ -106,6 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml index 1b3b5170366..f81ab4a3ded 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml @@ -112,6 +112,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml index a8c07a25e1c..297f971f2a0 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml @@ -111,6 +111,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml index 9a885437d55..3e3fb986548 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml @@ -113,6 +113,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml index 04b16ab68d1..a8eb6214934 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml @@ -113,6 +113,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml index 8f1bf0ec99f..51d507b4b6d 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml @@ -109,6 +109,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, agent.id diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml index 8d1ecac4883..e6cbf9cf38d 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml @@ -111,6 +111,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml index d7de0ffcefb..b8b659abc08 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml @@ -111,6 +111,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml index 16161866a32..a6fcbf79910 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml @@ -118,6 +118,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml index dc029ef4643..26afb2fe2e4 100644 --- a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml +++ b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml @@ -79,6 +79,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index powershell.sequence, powershell.total, _id, + _version, _index, host.name, agent.id, From 3ae59279e14f8f2b6b59668544f6b1258e572815 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 9 Dec 2025 18:08:40 -0300 Subject: [PATCH 4/5] date bump --- ...al_access_entra_id_actor_token_user_impersonation_abuse.toml | 2 +- rules/windows/defense_evasion_posh_obfuscation_backtick.toml | 2 +- .../windows/defense_evasion_posh_obfuscation_backtick_var.toml | 2 +- rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml | 2 +- .../defense_evasion_posh_obfuscation_concat_dynamic.toml | 2 +- ...defense_evasion_posh_obfuscation_high_number_proportion.toml | 2 +- ...se_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml | 2 +- ...ense_evasion_posh_obfuscation_iex_string_reconstruction.toml | 2 +- .../defense_evasion_posh_obfuscation_index_reversal.toml | 2 +- .../defense_evasion_posh_obfuscation_reverse_keyword.toml | 2 +- .../windows/defense_evasion_posh_obfuscation_string_concat.toml | 2 +- .../windows/defense_evasion_posh_obfuscation_string_format.toml | 2 +- ..._evasion_posh_obfuscation_whitespace_special_proportion.toml | 2 +- ...fense_evasion_posh_obfuscation_proportion_special_chars.toml | 2 +- .../discovery_ec2_multi_region_describe_instances.toml | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml index d00ff6b601d..1ef19b65dbd 100644 --- a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml +++ b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["azure"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml index f0957f26739..9f5e4004a80 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml index bb0e9971737..143799eb82d 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml index ec8ff018aa5..336faa5d7e3 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml index 585163eefcc..7fad3b25bc8 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml index f81ab4a3ded..48488f670db 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml index 297f971f2a0..a839d149a57 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml index 3e3fb986548..b7612942b37 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml index a8eb6214934..a18b3f9a20e 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml index 51d507b4b6d..fb021a93f20 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml index e6cbf9cf38d..4e0ad308454 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml index b8b659abc08..a803bad5e82 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/03" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml index a6fcbf79910..d311452fe44 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml index 26afb2fe2e4..42e6bd388e5 100644 --- a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml +++ b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_ec2_multi_region_describe_instances.toml b/rules_building_block/discovery_ec2_multi_region_describe_instances.toml index 93ffd93b7cf..acdf1b9b644 100644 --- a/rules_building_block/discovery_ec2_multi_region_describe_instances.toml +++ b/rules_building_block/discovery_ec2_multi_region_describe_instances.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/08/26" integration = ["aws"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2025/12/09" [rule] author = ["Elastic"] From e65a84cee2b90c22a4e2e1ae4cd059b0a560e940 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 9 Dec 2025 13:09:07 -0800 Subject: [PATCH 5/5] Update rules_building_block/discovery_ec2_multi_region_describe_instances.toml --- .../discovery_ec2_multi_region_describe_instances.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules_building_block/discovery_ec2_multi_region_describe_instances.toml b/rules_building_block/discovery_ec2_multi_region_describe_instances.toml index acdf1b9b644..93ffd93b7cf 100644 --- a/rules_building_block/discovery_ec2_multi_region_describe_instances.toml +++ b/rules_building_block/discovery_ec2_multi_region_describe_instances.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/08/26" integration = ["aws"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2025/12/04" [rule] author = ["Elastic"]