Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 0 additions & 9 deletions detection_rules/etc/non-ecs-schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,6 @@
"file.Ext.header_bytes": "keyword",
"file.Ext.entropy": "long",
"file.Ext.windows.zone_identifier": "long",
"file.size": "long",
"file.Ext.original.name": "keyword",
"dll.Ext.device.product_id": "keyword",
"dll.Ext.relative_file_creation_time": "double",
Expand All @@ -119,7 +118,6 @@
"kubernetes.audit.objectRef.subresource": "keyword",
"kubernetes.audit.objectRef.name": "keyword",
"kubernetes.audit.verb": "keyword",
"kubernetes.audit.objectRef.name": "keyword",
"kubernetes.audit.user.username": "keyword",
"kubernetes.audit.impersonatedUser.username": "keyword",
"kubernetes.audit.annotations.authorization_k8s_io/decision": "keyword",
Expand Down Expand Up @@ -292,15 +290,8 @@
"okta.debug_context.debug_data.flattened.privilegeGranted": "keyword"
},
"logs-network_traffic.http*": {
"data_stream.dataset": "keyword",
"url.path": "keyword",
"http.request.referrer": "keyword",
"http.request.headers.content-type": "keyword",
"network.direction": "keyword",
"http.request.method": "keyword",
"request": "keyword",
"http.request.body.bytes": "long",
"http.request.body.content": "keyword",
"http.response.headers.server": "keyword"
},
"metrics-*": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2025/12/01"
integration = ["aws", "gcp", "azure", "kubernetes"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/06/23"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -136,7 +136,7 @@ FROM logs-azure.platformlogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-*, logs-ku
event.action IN ("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest")) OR

/* Kubernetes Secrets */
(data_stream.dataset == "kubernetes.audit_logs" AND kubernetes.audit.objectRef.resource == "secrets" AND kubernetes.audit.verb IN ("get", "list"))
(data_stream.dataset == "kubernetes.audit_logs" AND orchestrator.resource.type == "secrets" AND event.action IN ("get", "list"))

) AND source.ip IS NOT NULL

Expand Down Expand Up @@ -173,7 +173,7 @@ FROM logs-azure.platformlogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-*, logs-ku
Esql.gcp_project_id_values = VALUES(CASE(Esql.cloud_vendor == "gcp", cloud.account.id, "unknown")),
// Generic cloud metadata
Esql.cloud_region_values = VALUES(cloud.region),
Esql.k8s_namespace_values = VALUES(kubernetes.audit.objectRef.namespace),
Esql.k8s_namespace_values = VALUES(orchestrator.namespace),
// Namespace values
Esql.data_stream_namespace_values = VALUES(data_stream.namespace),
Esql_priv.user_name_values = VALUES(user.name)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"]
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/04/10"
updated_date = "2026/06/23"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -108,7 +108,7 @@ sequence with maxspan=1s
) and process.interactive == true and container.id like "*"
] by orchestrator.resource.name
[any where data_stream.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted") and
`kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid"
`event.outcome` == "forbid"
] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name`
'''

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"]
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/04/10"
updated_date = "2026/06/23"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -115,17 +115,17 @@ sequence with maxspan=1s
[any where
data_stream.dataset == "kubernetes.audit_logs" and
kubernetes.audit.stage in ("ResponseStarted","ResponseComplete") and
kubernetes.audit.verb in ("get", "list", "watch", "create", "patch", "update") and
event.action in ("get", "list", "watch", "create", "patch", "update") and
(
kubernetes.audit.objectRef.resource in (
orchestrator.resource.type in (
"pods", "secrets", "serviceaccounts", "configmaps",
"roles", "rolebindings", "clusterroles", "clusterrolebindings",
"deployments", "daemonsets", "statefulsets", "jobs", "cronjobs",
"nodes", "namespaces",
"selfsubjectaccessreviews", "selfsubjectrulesreviews", "subjectaccessreviews"
)
or (
kubernetes.audit.objectRef.resource == "pods" and
orchestrator.resource.type == "pods" and
kubernetes.audit.objectRef.subresource in ("exec", "attach", "portforward", "log")
)
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/04/10"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/06/23"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -72,7 +72,7 @@ type = "new_terms"
query = '''
data_stream.dataset:"aws.cloudtrail"
and event.provider:"ec2.amazonaws.com" and event.action:"GetPasswordData"
and aws.cloudtrail.user_identity.type:"AssumedRole" and aws.cloudtrail.error_code:"Client.UnauthorizedOperation"
and aws.cloudtrail.user_identity.type:"AssumedRole" and error.code:"Client.UnauthorizedOperation"
'''

[rule.investigation_fields]
Expand All @@ -87,7 +87,7 @@ field_names = [
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.outcome",
"aws.cloudtrail.error_code",
"error.code",
"aws.cloudtrail.request_parameters",
"cloud.account.id",
"cloud.region"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
creation_date = "2026/04/06"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/06"
min_stack_comments = "New entity classification fields added: user.entity.id"
updated_date = "2026/06/23"
min_stack_comments = "New entity classification fields added: aws.cloudtrail.user_identity.arn"
min_stack_version = "9.2.0"

[rule]
Expand Down Expand Up @@ -114,7 +114,7 @@ from .alerts-security.* METADATA _id, _version, _index
Esql.kibana_alert_rule_id_values = VALUES(kibana.alert.rule.rule_id),
Esql.kibana_alert_risk_score_values = VALUES(kibana.alert.risk_score),
Esql.kibana_alert_severity_values = VALUES(kibana.alert.severity),
Esql.user_entity_id_values = VALUES(user.entity.id),
Esql.user_entity_id_values = VALUES(aws.cloudtrail.user_identity.arn),
Esql.timestamp_min = MIN(@timestamp),
Esql.timestamp_max = MAX(@timestamp)
by source.ip
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/07/16"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/06/23"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -108,7 +108,7 @@ query = '''
data_stream.dataset: "aws.cloudtrail"
and event.provider: "iam.amazonaws.com"
and event.action: "UpdateAssumeRolePolicy"
and aws.cloudtrail.error_code: "MalformedPolicyDocumentException"
and error.code: "MalformedPolicyDocumentException"
and event.outcome: "failure"
'''

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/04/17"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/06/23"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -142,7 +142,7 @@ info where data_stream.dataset == "aws.cloudtrail"
)
and not stringContains(aws.cloudtrail.request_parameters, "arn:aws:cloudfront::")
and not stringContains(aws.cloudtrail.request_parameters, "arn:aws:iam::cloudfront:user")
and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipient_account_id)
and not stringContains(aws.cloudtrail.request_parameters, cloud.account.id)
'''


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/05/01"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/06/23"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -97,7 +97,7 @@ type = "threshold"
query = '''
data_stream.dataset: "aws.cloudtrail" and
event.provider : "s3.amazonaws.com" and
aws.cloudtrail.error_code : "AccessDenied" and
error.code : "AccessDenied" and
tls.client.server_name : *
'''

Expand Down
4 changes: 2 additions & 2 deletions rules/integrations/aws/initial_access_console_login_root.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/06/11"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/06/23"

[rule]
author = ["Elastic"]
Expand All @@ -25,7 +25,7 @@ note = """## Triage and analysis

The AWS root user is the original identity with unrestricted privileges over every resource in the account. Because it bypasses IAM boundaries and carries irreversible privileges, any successful root console login should be treated as a critical security event. AWS explicitly recommends locking away the root credentials and only using them for a small number of account-level administrative tasks (for example, closing an account, modifying support plans, or restoring MFA). See [Tasks that require the root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).

This rule detects a successful AWS Management Console login by the root user (`ConsoleLogin` events with `userIdentity.type: Root` and `event.outcome: Success`).
This rule detects a successful AWS Management Console login by the root user (`ConsoleLogin` events with `userIdentity.type: Root` and `event.outcome: success`).

#### Possible investigation steps

Expand Down
4 changes: 2 additions & 2 deletions rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/07/13"
integration = ["aws"]
maturity = "production"
updated_date = "2025/11/18"
updated_date = "2026/06/23"

[rule]
anomaly_threshold = 50
Expand Down Expand Up @@ -54,7 +54,7 @@ This rule uses a machine learning job to detect a significant spike in the rate

#### Possible investigation steps

- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.
- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `error.code field` field.
- Investigate other alerts associated with the user account during the past 48 hours.
- Validate the activity is not related to planned patches, updates, or network administrator activity.
- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.
Expand Down
4 changes: 2 additions & 2 deletions rules/integrations/aws/ml_cloudtrail_rare_error_code.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/07/13"
integration = ["aws"]
maturity = "production"
updated_date = "2025/11/18"
updated_date = "2026/06/23"

[rule]
anomaly_threshold = 50
Expand Down Expand Up @@ -56,7 +56,7 @@ Detection alerts from this rule indicate a rare and unusual error code that was

#### Possible investigation steps

- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.
- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `error.code field` field.
- Investigate other alerts associated with the user account during the past 48 hours.
- Validate the activity is not related to planned patches, updates, or network administrator activity.
- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2026/06/04"
integration = ["aws"]
maturity = "production"
updated_date = "2026/06/04"
updated_date = "2026/06/23"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -43,7 +43,7 @@ This rule detects Bedrock control-plane calls that enable model access at the ac
### Possible investigation steps

- Identify the principal by reviewing `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`, and determine whether the identity has any legitimate reason to manage Bedrock model access. A denial for an identity that should never touch these APIs is more suspicious than one from an admin with a transient permission gap.
- Inspect `aws.cloudtrail.error_code` and `aws.cloudtrail.error_message` to confirm the denial reason, and review `event.action` to determine which model-access action was attempted.
- Inspect `error.code` and `aws.cloudtrail.error_message` to confirm the denial reason, and review `event.action` to determine which model-access action was attempted.
- Verify the `source.ip` and `user_agent.original` of the request. An unexpected IP, geolocation, or automation user agent is suspicious.
- Confirm the `cloud.account.id` and `cloud.region` are expected for Bedrock usage in your environment.
- Correlate with recent activity from the same principal, such as new access key creation, IAM permission changes, or repeated denials across Bedrock/IAM APIs, which can indicate permission enumeration or escalation attempts.
Expand Down Expand Up @@ -92,7 +92,7 @@ data_stream.dataset: "aws.cloudtrail"
"CreateFoundationModelAgreement"
)
and event.outcome: "failure"
and aws.cloudtrail.error_code: (
and error.code: (
"AccessDenied" or
"AccessDeniedException"
)
Expand Down Expand Up @@ -121,7 +121,7 @@ field_names = [
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.outcome",
"aws.cloudtrail.error_code",
"error.code",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2026/06/04"
integration = ["aws"]
maturity = "production"
updated_date = "2026/06/04"
updated_date = "2026/06/23"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -49,7 +49,7 @@ take effect.
- Determine whether this identity has any legitimate reason to manage Bedrock resource policies. A denial for an
identity that should never touch these APIs is more suspicious than one from an admin with a transient gap.
- **Assess the attempt**
- Inspect `aws.cloudtrail.error_code` and `aws.cloudtrail.error_message` to confirm the denial reason.
- Inspect `error.code` and `aws.cloudtrail.error_message` to confirm the denial reason.
- For `PutResourcePolicy`, review `aws.cloudtrail.request_parameters` and
`aws.cloudtrail.flattened.request_parameters` for the target resource ARN and the attempted policy document.
Look for `Principal` values referencing external AWS account IDs, `"*"`, or unfamiliar roles.
Expand Down Expand Up @@ -101,7 +101,7 @@ data_stream.dataset: "aws.cloudtrail" and
event.provider: "bedrock.amazonaws.com" and
event.action: ("PutResourcePolicy" or "DeleteResourcePolicy") and
event.outcome: "failure" and
aws.cloudtrail.error_code: (
error.code: (
"AccessDenied" or
"AccessDeniedException"
)
Expand Down Expand Up @@ -132,7 +132,7 @@ field_names = [
"event.action",
"event.provider",
"event.outcome",
"aws.cloudtrail.error_code",
"error.code",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/11/24"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/06/23"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -41,7 +41,7 @@ This rule is a New Terms rule that detects when a previously unseen combination
- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine:
- Whether the caller is an IAM user, federated user, or role.
- Whether this identity is normally used for organization-level administration or automation.
- Inspect `aws.cloudtrail.resources.account_id` and `aws.cloudtrail.recipient_account_id` to identify the affected member account.
- Inspect `aws.cloudtrail.resources.account_id` and `cloud.account.id` to identify the affected member account.
- Check `source.address`, `source.geo.*`, and `user_agent.original` to understand where and how the call was made (console, CLI, SDK, automation runner, VPN, corporate IP, etc.).

- **Understand session, policy, and target details**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/10/23"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/06/23"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -34,7 +34,7 @@ Role chaining occurs when a role assumed with temporary credentials (`AssumeRole

- **Review Alert Context**: Investigate the alert, focusing on `aws.cloudtrail.user_identity.session_context.session_issuer.arn` (the calling role) and `aws.cloudtrail.resources.arn` (the target role).

- **Determine scope and intent.** Check `aws.cloudtrail.recipient_account_id` and `aws.cloudtrail.resources.account_id` fields to identify whether the chaining is Intra-account (within the same AWS account) or Cross-account (from another AWS account).
- **Determine scope and intent.** Check `cloud.account.id` and `aws.cloudtrail.resources.account_id` fields to identify whether the chaining is Intra-account (within the same AWS account) or Cross-account (from another AWS account).

- **Check role privileges.** Compare policies of the calling and target roles. Determine if chaining increases permissions (for example, access to S3 data, IAM modifications, or admin privileges).

Expand Down Expand Up @@ -125,7 +125,7 @@ field_names = [
"aws.cloudtrail.resources.type",
"event.action",
"event.outcome",
"aws.cloudtrail.recipient_account_id",
"cloud.account.id",
"aws.cloudtrail.resources.account_id",
"cloud.region",
"aws.cloudtrail.request_parameters",
Expand Down
Loading
Loading