[Rule Tuning] - Tuning of 3 Existing Windows Rules #123
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added not to accessibility rule added whoami to system identity running discovery utility added regasm.exe to registration utility performing ntcon
Samirbous
changed the title
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
rules/windows/execution_register_server_program_connecting_to_the_internet.toml
Outdated
Show resolved
Hide resolved
bm11100
reviewed
Aug 12, 2020
rules/windows/execution_register_server_program_connecting_to_the_internet.toml
Outdated
Show resolved
Hide resolved
…the_internet.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Samirbous
requested review from
threat-punter,
randomuserid,
peasead and
seth-goodwin
brokensound77
approved these changes
Sep 4, 2020
rules/windows/execution_register_server_program_connecting_to_the_internet.toml
Outdated
Show resolved
Hide resolved
…the_internet.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
threat-punter
approved these changes
Sep 4, 2020
terrancedejesus
added a commit
that referenced
this pull request
Sep 15, 2025
<!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5108 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Adds a new rule for detecting `Azure RBAC Built-In Administrator Roles Assigned` from Azure Activity Logs. Please se issue for more details. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE serverless stack. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added a commit
that referenced
this pull request
Sep 22, 2025
<!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5138 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Adds a missing detection for Azure storage account updates that enabled Blob Storage public access. **Please see the related issue for more details.** <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE stack for example data. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added a commit
that referenced
this pull request
Sep 23, 2025
<!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5140 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Adds missing detection coverage for retrieving Azure Storage Account keys by a user with highly-privileged roles. Please see the related issue for more details. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE stack for telemetry visbility. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added a commit
that referenced
this pull request
Sep 26, 2025
<!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5152 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Updates all mappings for Azure / M365 rules for accuracy and missing mappings. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added a commit
that referenced
this pull request
Sep 26, 2025
<!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5154 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Adjusts Azure / M365 rules regarding lookback windows, interval and index scopes. Please see related issue for more details. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added a commit
that referenced
this pull request
Sep 29, 2025
) <!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5140 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Adds missing detection coverage for retrieving Azure Storage Account keys by a user with highly-privileged roles. Please see the related issue for more details. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE stack for telemetry visbility. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added a commit
that referenced
this pull request
Sep 30, 2025
<!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5164 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Standardizes naming and file names for Azure & M365 rules. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test I've attached a list of all rule names for Azure and M365 in the related issue. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added a commit
that referenced
this pull request
Sep 30, 2025
* [Rule Tuning] Update Azure / M365 Mappings <!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5152 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Updates all mappings for Azure / M365 rules for accuracy and missing mappings. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)? * reverting changes to unit test * changed webhook rule back to persistence * Update rules/integrations/azure/persistence_azure_automation_webhook_created.toml * updated date * updating date --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
terrancedejesus
added a commit
that referenced
this pull request
Sep 30, 2025
…#5155) * [Rule Tuning] Update Azure / M365 Index Patterns and Lookback Windows <!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5154 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Adjusts Azure / M365 rules regarding lookback windows, interval and index scopes. Please see related issue for more details. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)? * fixing timestamps * Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * update dates * Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml * Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
terrancedejesus
added a commit
that referenced
this pull request
Oct 2, 2025
# Pull Request *Issue link(s)*: * #5178 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Adds detection capabilities for Azure Storage Blob retrieval via AzCopy with SAS tokens. Related to behavior observed by Storm-0501. Please see related issue for more details. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE stack. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added a commit
that referenced
this pull request
Oct 3, 2025
<!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5183 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Tunes the `Azure Entra ID Rare App ID for Principal Authentication` rule to ignore specific first-party client IDs that generate FPs regarding this rule. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE or telemetry stack. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added a commit
that referenced
this pull request
Oct 6, 2025
<!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5183 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Tunes the `Azure Entra ID Rare App ID for Principal Authentication` rule to ignore specific first-party client IDs that generate FPs regarding this rule. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE or telemetry stack. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added a commit
that referenced
this pull request
Oct 6, 2025
<!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5138 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Adds a missing detection for Azure storage account updates that enabled Blob Storage public access. **Please see the related issue for more details.** <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE stack for example data. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added a commit
that referenced
this pull request
Oct 6, 2025
* [New Rule] Azure RBAC Built-In Administrator Roles Assigned <!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5108 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Adds a new rule for detecting `Azure RBAC Built-In Administrator Roles Assigned` from Azure Activity Logs. Please se issue for more details. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE serverless stack. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)? * fixed query logic * fixed query logc * fixed query logic * adding field to non-ecs * updated UUID
terrancedejesus
added a commit
that referenced
this pull request
Oct 6, 2025
*Issue link(s)*: * #5185 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Adds a specific detection rule for admin confirmed compromise by Entra ID protection. Relates to BBR rule `Microsoft Entra ID Protection - Risk Detections`. Please see related issue for more details. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE serverless stack. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added a commit
that referenced
this pull request
Oct 6, 2025
…cted <!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5189 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Tunes `Suspicious Entra ID OAuth User Impersonation Scope Detected (9563dace-5822-11f0-b1d3-f661ea17fbcd)` rule to reduce FPs. Please see related issue for more information. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE stack. TeamFiltration testing and matches occurred in July 2025. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues
resolves #122
Summary
Minor tunning to 3 of existing windows detection rules
Contributor checklist