diff --git a/detection_rules/etc/api_schemas/master/master.base.json b/detection_rules/etc/api_schemas/master/master.base.json index 000d9dccff1..d8f0a4a62d2 100644 --- a/detection_rules/etc/api_schemas/master/master.base.json +++ b/detection_rules/etc/api_schemas/master/master.base.json @@ -83,15 +83,15 @@ ] }, "interval": { - "pattern": "^\\d+[mshd]$", - "type": "string" + "type": [ + "string" + ] }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { - "minLength": 1, "type": "string" }, "type": "array" @@ -108,8 +108,9 @@ ] }, "max_signals": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] }, "meta": { "additionalProperties": { @@ -146,11 +147,22 @@ "items": { "additionalProperties": false, "properties": { + "integration": { + "type": [ + "string" + ] + }, "package": { - "minLength": 1, + "type": "string" + }, + "version": { "type": "string" } }, + "required": [ + "package", + "version" + ], "type": "object" }, "min_compat": "8.3", @@ -166,12 +178,16 @@ "type": "boolean" }, "name": { - "minLength": 1, + "type": "string" + }, + "type": { "type": "string" } }, "required": [ - "ecs" + "ecs", + "name", + "type" ], "type": "object" }, @@ -187,8 +203,6 @@ ] }, "risk_score": { - "maximum": 100, - "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -222,7 +236,6 @@ ] }, "rule_id": { - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { @@ -310,13 +323,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -331,7 +344,6 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -345,13 +357,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -362,7 +374,8 @@ }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -387,10 +400,14 @@ ] }, "timeline_id": { - "type": "string" + "type": [ + "string" + ] }, "timeline_title": { - "type": "string" + "type": [ + "string" + ] }, "timestamp_override": { "type": [ @@ -417,13 +434,17 @@ "type": "string" }, "version": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] } }, "required": [ "author", "description", + "name", + "risk_score", + "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.eql.json b/detection_rules/etc/api_schemas/master/master.eql.json index 3f8af847597..c02f1f22139 100644 --- a/detection_rules/etc/api_schemas/master/master.eql.json +++ b/detection_rules/etc/api_schemas/master/master.eql.json @@ -35,33 +35,29 @@ "type": "string" }, "value": { - "minimum": 1, "type": "integer" } }, "required": [ - "unit" + "unit", + "value" ], "type": "object" }, "group_by": { "items": { - "minLength": 1, "type": "string" }, - "maxItems": 3, - "minItems": 1, "type": "array" }, "missing_fields_strategy": { - "enum": [ - "suppress", - "doNotSuppress" - ], - "enumNames": [], "type": "string" } }, + "required": [ + "group_by", + "missing_fields_strategy" + ], "type": "object" }, "author": { @@ -147,15 +143,15 @@ ] }, "interval": { - "pattern": "^\\d+[mshd]$", - "type": "string" + "type": [ + "string" + ] }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { - "minLength": 1, "type": "string" }, "type": "array" @@ -178,8 +174,9 @@ ] }, "max_signals": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] }, "meta": { "additionalProperties": { @@ -219,11 +216,22 @@ "items": { "additionalProperties": false, "properties": { + "integration": { + "type": [ + "string" + ] + }, "package": { - "minLength": 1, + "type": "string" + }, + "version": { "type": "string" } }, + "required": [ + "package", + "version" + ], "type": "object" }, "min_compat": "8.3", @@ -239,12 +247,16 @@ "type": "boolean" }, "name": { - "minLength": 1, + "type": "string" + }, + "type": { "type": "string" } }, "required": [ - "ecs" + "ecs", + "name", + "type" ], "type": "object" }, @@ -260,8 +272,6 @@ ] }, "risk_score": { - "maximum": 100, - "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -295,7 +305,6 @@ ] }, "rule_id": { - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { @@ -383,13 +392,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -404,7 +413,6 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -418,13 +426,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -435,7 +443,8 @@ }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -466,10 +475,14 @@ ] }, "timeline_id": { - "type": "string" + "type": [ + "string" + ] }, "timeline_title": { - "type": "string" + "type": [ + "string" + ] }, "timestamp_field": { "min_compat": "8.0", @@ -494,15 +507,19 @@ "type": "string" }, "version": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] } }, "required": [ "author", "description", "language", + "name", "query", + "risk_score", + "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.esql.json b/detection_rules/etc/api_schemas/master/master.esql.json index dc5f6f13861..9b65120b161 100644 --- a/detection_rules/etc/api_schemas/master/master.esql.json +++ b/detection_rules/etc/api_schemas/master/master.esql.json @@ -35,33 +35,29 @@ "type": "string" }, "value": { - "minimum": 1, "type": "integer" } }, "required": [ - "unit" + "unit", + "value" ], "type": "object" }, "group_by": { "items": { - "minLength": 1, "type": "string" }, - "maxItems": 3, - "minItems": 1, "type": "array" }, "missing_fields_strategy": { - "enum": [ - "suppress", - "doNotSuppress" - ], - "enumNames": [], "type": "string" } }, + "required": [ + "group_by", + "missing_fields_strategy" + ], "type": "object" }, "author": { @@ -141,15 +137,15 @@ ] }, "interval": { - "pattern": "^\\d+[mshd]$", - "type": "string" + "type": [ + "string" + ] }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { - "minLength": 1, "type": "string" }, "type": "array" @@ -172,8 +168,9 @@ ] }, "max_signals": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] }, "meta": { "additionalProperties": { @@ -213,11 +210,22 @@ "items": { "additionalProperties": false, "properties": { + "integration": { + "type": [ + "string" + ] + }, "package": { - "minLength": 1, + "type": "string" + }, + "version": { "type": "string" } }, + "required": [ + "package", + "version" + ], "type": "object" }, "min_compat": "8.3", @@ -233,12 +241,16 @@ "type": "boolean" }, "name": { - "minLength": 1, + "type": "string" + }, + "type": { "type": "string" } }, "required": [ - "ecs" + "ecs", + "name", + "type" ], "type": "object" }, @@ -254,8 +266,6 @@ ] }, "risk_score": { - "maximum": 100, - "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -289,7 +299,6 @@ ] }, "rule_id": { - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { @@ -377,13 +386,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -398,7 +407,6 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -412,13 +420,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -429,7 +437,8 @@ }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -454,10 +463,14 @@ ] }, "timeline_id": { - "type": "string" + "type": [ + "string" + ] }, "timeline_title": { - "type": "string" + "type": [ + "string" + ] }, "timestamp_override": { "type": [ @@ -476,15 +489,19 @@ "type": "string" }, "version": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] } }, "required": [ "author", "description", "language", + "name", "query", + "risk_score", + "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.machine_learning.json b/detection_rules/etc/api_schemas/master/master.machine_learning.json index c86efac222f..1c6f3718689 100644 --- a/detection_rules/etc/api_schemas/master/master.machine_learning.json +++ b/detection_rules/etc/api_schemas/master/master.machine_learning.json @@ -35,33 +35,29 @@ "type": "string" }, "value": { - "minimum": 1, "type": "integer" } }, "required": [ - "unit" + "unit", + "value" ], "type": "object" }, "group_by": { "items": { - "minLength": 1, "type": "string" }, - "maxItems": 3, - "minItems": 1, "type": "array" }, "missing_fields_strategy": { - "enum": [ - "suppress", - "doNotSuppress" - ], - "enumNames": [], "type": "string" } }, + "required": [ + "group_by", + "missing_fields_strategy" + ], "type": "object" }, "anomaly_threshold": { @@ -131,15 +127,15 @@ ] }, "interval": { - "pattern": "^\\d+[mshd]$", - "type": "string" + "type": [ + "string" + ] }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { - "minLength": 1, "type": "string" }, "type": "array" @@ -169,8 +165,9 @@ ] }, "max_signals": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] }, "meta": { "additionalProperties": { @@ -207,11 +204,22 @@ "items": { "additionalProperties": false, "properties": { + "integration": { + "type": [ + "string" + ] + }, "package": { - "minLength": 1, + "type": "string" + }, + "version": { "type": "string" } }, + "required": [ + "package", + "version" + ], "type": "object" }, "min_compat": "8.3", @@ -227,12 +235,16 @@ "type": "boolean" }, "name": { - "minLength": 1, + "type": "string" + }, + "type": { "type": "string" } }, "required": [ - "ecs" + "ecs", + "name", + "type" ], "type": "object" }, @@ -248,8 +260,6 @@ ] }, "risk_score": { - "maximum": 100, - "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -283,7 +293,6 @@ ] }, "rule_id": { - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { @@ -371,13 +380,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -392,7 +401,6 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -406,13 +414,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -423,7 +431,8 @@ }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -448,10 +457,14 @@ ] }, "timeline_id": { - "type": "string" + "type": [ + "string" + ] }, "timeline_title": { - "type": "string" + "type": [ + "string" + ] }, "timestamp_override": { "type": [ @@ -470,8 +483,9 @@ "type": "string" }, "version": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] } }, "required": [ @@ -479,6 +493,9 @@ "author", "description", "machine_learning_job_id", + "name", + "risk_score", + "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.new_terms.json b/detection_rules/etc/api_schemas/master/master.new_terms.json index a2c679c8e4f..52f0ef274b9 100644 --- a/detection_rules/etc/api_schemas/master/master.new_terms.json +++ b/detection_rules/etc/api_schemas/master/master.new_terms.json @@ -35,33 +35,29 @@ "type": "string" }, "value": { - "minimum": 1, "type": "integer" } }, "required": [ - "unit" + "unit", + "value" ], "type": "object" }, "group_by": { "items": { - "minLength": 1, "type": "string" }, - "maxItems": 3, - "minItems": 1, "type": "array" }, "missing_fields_strategy": { - "enum": [ - "suppress", - "doNotSuppress" - ], - "enumNames": [], "type": "string" } }, + "required": [ + "group_by", + "missing_fields_strategy" + ], "type": "object" }, "author": { @@ -141,15 +137,15 @@ ] }, "interval": { - "pattern": "^\\d+[mshd]$", - "type": "string" + "type": [ + "string" + ] }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { - "minLength": 1, "type": "string" }, "type": "array" @@ -176,8 +172,9 @@ ] }, "max_signals": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] }, "meta": { "additionalProperties": { @@ -200,7 +197,6 @@ "additionalProperties": false, "properties": { "field": { - "minLength": 1, "type": "string" }, "history_window_start": { @@ -208,26 +204,31 @@ "additionalProperties": false, "properties": { "field": { - "minLength": 1, + "type": "string" + }, + "value": { "type": "string" } }, + "required": [ + "field", + "value" + ], "type": "object" }, "type": "array" }, "value": { "items": { - "minLength": 1, "type": "string" }, - "maxItems": 3, - "minItems": 1, "type": "array" } }, "required": [ - "history_window_start" + "field", + "history_window_start", + "value" ], "type": "object" }, @@ -252,11 +253,22 @@ "items": { "additionalProperties": false, "properties": { + "integration": { + "type": [ + "string" + ] + }, "package": { - "minLength": 1, + "type": "string" + }, + "version": { "type": "string" } }, + "required": [ + "package", + "version" + ], "type": "object" }, "min_compat": "8.3", @@ -272,12 +284,16 @@ "type": "boolean" }, "name": { - "minLength": 1, + "type": "string" + }, + "type": { "type": "string" } }, "required": [ - "ecs" + "ecs", + "name", + "type" ], "type": "object" }, @@ -293,8 +309,6 @@ ] }, "risk_score": { - "maximum": 100, - "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -328,7 +342,6 @@ ] }, "rule_id": { - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { @@ -416,13 +429,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -437,7 +450,6 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -451,13 +463,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -468,7 +480,8 @@ }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -493,10 +506,14 @@ ] }, "timeline_id": { - "type": "string" + "type": [ + "string" + ] }, "timeline_title": { - "type": "string" + "type": [ + "string" + ] }, "timestamp_override": { "type": [ @@ -515,16 +532,20 @@ "type": "string" }, "version": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] } }, "required": [ "author", "description", "language", + "name", "new_terms", "query", + "risk_score", + "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.query.json b/detection_rules/etc/api_schemas/master/master.query.json index 651aad60827..acc0c13ff3d 100644 --- a/detection_rules/etc/api_schemas/master/master.query.json +++ b/detection_rules/etc/api_schemas/master/master.query.json @@ -35,33 +35,29 @@ "type": "string" }, "value": { - "minimum": 1, "type": "integer" } }, "required": [ - "unit" + "unit", + "value" ], "type": "object" }, "group_by": { "items": { - "minLength": 1, "type": "string" }, - "maxItems": 3, - "minItems": 1, "type": "array" }, "missing_fields_strategy": { - "enum": [ - "suppress", - "doNotSuppress" - ], - "enumNames": [], "type": "string" } }, + "required": [ + "group_by", + "missing_fields_strategy" + ], "type": "object" }, "author": { @@ -141,15 +137,15 @@ ] }, "interval": { - "pattern": "^\\d+[mshd]$", - "type": "string" + "type": [ + "string" + ] }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { - "minLength": 1, "type": "string" }, "type": "array" @@ -176,8 +172,9 @@ ] }, "max_signals": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] }, "meta": { "additionalProperties": { @@ -217,11 +214,22 @@ "items": { "additionalProperties": false, "properties": { + "integration": { + "type": [ + "string" + ] + }, "package": { - "minLength": 1, + "type": "string" + }, + "version": { "type": "string" } }, + "required": [ + "package", + "version" + ], "type": "object" }, "min_compat": "8.3", @@ -237,12 +245,16 @@ "type": "boolean" }, "name": { - "minLength": 1, + "type": "string" + }, + "type": { "type": "string" } }, "required": [ - "ecs" + "ecs", + "name", + "type" ], "type": "object" }, @@ -258,8 +270,6 @@ ] }, "risk_score": { - "maximum": 100, - "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -293,7 +303,6 @@ ] }, "rule_id": { - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { @@ -381,13 +390,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -402,7 +411,6 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -416,13 +424,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -433,7 +441,8 @@ }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -458,10 +467,14 @@ ] }, "timeline_id": { - "type": "string" + "type": [ + "string" + ] }, "timeline_title": { - "type": "string" + "type": [ + "string" + ] }, "timestamp_override": { "type": [ @@ -480,15 +493,19 @@ "type": "string" }, "version": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] } }, "required": [ "author", "description", "language", + "name", "query", + "risk_score", + "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.threat_match.json b/detection_rules/etc/api_schemas/master/master.threat_match.json index c2d5fd189ab..fbbbeb9dd1f 100644 --- a/detection_rules/etc/api_schemas/master/master.threat_match.json +++ b/detection_rules/etc/api_schemas/master/master.threat_match.json @@ -35,33 +35,29 @@ "type": "string" }, "value": { - "minimum": 1, "type": "integer" } }, "required": [ - "unit" + "unit", + "value" ], "type": "object" }, "group_by": { "items": { - "minLength": 1, "type": "string" }, - "maxItems": 3, - "minItems": 1, "type": "array" }, "missing_fields_strategy": { - "enum": [ - "suppress", - "doNotSuppress" - ], - "enumNames": [], "type": "string" } }, + "required": [ + "group_by", + "missing_fields_strategy" + ], "type": "object" }, "author": { @@ -78,6 +74,11 @@ "string" ] }, + "concurrent_searches": { + "type": [ + "integer" + ] + }, "data_view_id": { "type": [ "string" @@ -141,15 +142,15 @@ ] }, "interval": { - "pattern": "^\\d+[mshd]$", - "type": "string" + "type": [ + "string" + ] }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { - "minLength": 1, "type": "string" }, "type": "array" @@ -160,6 +161,11 @@ ], "type": "object" }, + "items_per_search": { + "type": [ + "integer" + ] + }, "language": { "enum": [ "eql", @@ -176,8 +182,9 @@ ] }, "max_signals": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] }, "meta": { "additionalProperties": { @@ -217,11 +224,22 @@ "items": { "additionalProperties": false, "properties": { + "integration": { + "type": [ + "string" + ] + }, "package": { - "minLength": 1, + "type": "string" + }, + "version": { "type": "string" } }, + "required": [ + "package", + "version" + ], "type": "object" }, "min_compat": "8.3", @@ -237,12 +255,16 @@ "type": "boolean" }, "name": { - "minLength": 1, + "type": "string" + }, + "type": { "type": "string" } }, "required": [ - "ecs" + "ecs", + "name", + "type" ], "type": "object" }, @@ -258,8 +280,6 @@ ] }, "risk_score": { - "maximum": 100, - "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -293,7 +313,6 @@ ] }, "rule_id": { - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { @@ -381,13 +400,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -402,7 +421,6 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -416,13 +434,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -433,7 +451,8 @@ }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -501,7 +520,6 @@ "additionalProperties": false, "properties": { "field": { - "minLength": 1, "type": "string" }, "type": { @@ -509,10 +527,15 @@ "mapping" ], "type": "string" + }, + "value": { + "type": "string" } }, "required": [ - "type" + "field", + "type", + "value" ], "type": "object" }, @@ -537,10 +560,14 @@ ] }, "timeline_id": { - "type": "string" + "type": [ + "string" + ] }, "timeline_title": { - "type": "string" + "type": [ + "string" + ] }, "timestamp_override": { "type": [ @@ -559,15 +586,19 @@ "type": "string" }, "version": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] } }, "required": [ "author", "description", "language", + "name", "query", + "risk_score", + "rule_id", "severity", "threat_index", "threat_mapping", diff --git a/detection_rules/etc/api_schemas/master/master.threshold.json b/detection_rules/etc/api_schemas/master/master.threshold.json index 3fefec3cf9c..9f1e1457506 100644 --- a/detection_rules/etc/api_schemas/master/master.threshold.json +++ b/detection_rules/etc/api_schemas/master/master.threshold.json @@ -35,12 +35,12 @@ "type": "string" }, "value": { - "minimum": 1, "type": "integer" } }, "required": [ - "unit" + "unit", + "value" ], "type": "object" } @@ -127,15 +127,15 @@ ] }, "interval": { - "pattern": "^\\d+[mshd]$", - "type": "string" + "type": [ + "string" + ] }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { - "minLength": 1, "type": "string" }, "type": "array" @@ -162,8 +162,9 @@ ] }, "max_signals": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] }, "meta": { "additionalProperties": { @@ -203,11 +204,22 @@ "items": { "additionalProperties": false, "properties": { + "integration": { + "type": [ + "string" + ] + }, "package": { - "minLength": 1, + "type": "string" + }, + "version": { "type": "string" } }, + "required": [ + "package", + "version" + ], "type": "object" }, "min_compat": "8.3", @@ -223,12 +235,16 @@ "type": "boolean" }, "name": { - "minLength": 1, + "type": "string" + }, + "type": { "type": "string" } }, "required": [ - "ecs" + "ecs", + "name", + "type" ], "type": "object" }, @@ -244,8 +260,6 @@ ] }, "risk_score": { - "maximum": 100, - "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -279,7 +293,6 @@ ] }, "rule_id": { - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { @@ -367,13 +380,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -388,7 +401,6 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -402,13 +414,13 @@ "type": "string" }, "reference": { - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -419,7 +431,8 @@ }, "required": [ "id", - "name" + "name", + "reference" ], "type": "object" }, @@ -449,12 +462,12 @@ "type": "string" }, "value": { - "minimum": 1, "type": "integer" } }, "required": [ - "field" + "field", + "value" ], "type": "object" }, @@ -464,17 +477,18 @@ }, "field": { "items": { - "minLength": 1, "type": "string" }, - "maxItems": 3, "type": "array" }, "value": { - "minimum": 1, "type": "integer" } }, + "required": [ + "field", + "value" + ], "type": "object" }, "throttle": { @@ -483,10 +497,14 @@ ] }, "timeline_id": { - "type": "string" + "type": [ + "string" + ] }, "timeline_title": { - "type": "string" + "type": [ + "string" + ] }, "timestamp_override": { "type": [ @@ -505,15 +523,19 @@ "type": "string" }, "version": { - "minimum": 1, - "type": "integer" + "type": [ + "integer" + ] } }, "required": [ "author", "description", "language", + "name", "query", + "risk_score", + "rule_id", "severity", "threshold", "type" diff --git a/detection_rules/etc/attack-technique-redirects.json b/detection_rules/etc/attack-technique-redirects.json index 80078c9882e..f2e253d3cc4 100644 --- a/detection_rules/etc/attack-technique-redirects.json +++ b/detection_rules/etc/attack-technique-redirects.json @@ -133,5 +133,5 @@ "T1547.011": "T1647", "T1574.002": "T1574.001" }, - "saved_date": "Mon May 19 22:22:25 2025" + "saved_date": "Mon Sep 1 17:34:47 2025" } \ No newline at end of file diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index bf456e17255..20758b8413e 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v9.1.3.json.gz b/detection_rules/etc/beats_schemas/v9.1.3.json.gz new file mode 100644 index 00000000000..0418426faa4 Binary files /dev/null and b/detection_rules/etc/beats_schemas/v9.1.3.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz index 8de7f116874..ab914b1af79 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz index 73a32dabb00..f60f483d7c8 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz index d9a8813b916..8ab6e6b838d 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz index fe4de36b34f..893e0c17935 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index c58c159b360..1cbfd5270ca 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index afd9e10d01e..2ee2ab5ebba 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index a10bf8450db..d4d3fb1fc34 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index 8c9473d30cb..4ca87644d80 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index 15a2eba75bc..79b86f1c6d0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index 3b0dd453b7a..571ab1fbdaf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index 5818f7b4891..1689f21f383 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index 789a12940b0..8d61e43fa1a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index 5ee3fb57f8e..318add40a8a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index 5db74034af2..8d98148658a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index 2db22a52a94..21a5c4a0ffd 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index 2cdcfe0df85..50974cd957d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz index 019cab1d392..526b3be4033 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz index 2a4f84a2e32..bcbe7d588e0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz index 5321c150939..673aa1ea662 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz index 2fbe5260bbf..ee0f7ae8522 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 3f070f43196..ea63e6adaef 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index b31dd8323b6..a0bfee3a545 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index 98157579b80..9e3089e388d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index fd2c0ba755c..d105a8264ad 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index f446a4eeb07..6aeb4d5ba5b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 61a52bdb66e..c40676d74db 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index 87e0b287c71..7cf8f9ea937 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index 087684a86ec..d073897aef3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 1bf7fcdfa73..0cb9c5c6ce0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index 9cd7424a13d..4d762f4af0d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index eb4c0173901..e40f63f3564 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index c78782ff4b1..96880672259 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index 8d059e85c1d..7d72833c818 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 9c047f0f3a2..9bf6fad35fc 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index 11935b54631..a9a8737261a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index 29814018f33..c9dc73734dc 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index 9e02aba765e..75068671cbf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index e17038a392d..333c344b141 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index 0a1edfbdb5d..d303388d810 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index c4d5561a119..3a9673135a7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index 6e17d27892a..e4d8910909a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index 6c8b59dc114..9e3391e159e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index ed2b502eee9..62739be5f2e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index 91a868d9217..4aab026ff20 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 96071f728dc..19c697191c3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index d42b57d6167..e09a944cbe8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index d3dfb461581..58d02680f7b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 3a41fd6de99..0cda9af67e3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index 4629854ae4a..80f39795192 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index 2b454a4c618..433201e87a3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index 5d049870ee6..d65f25e4f05 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index 20b591b1715..c70af0e0182 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index ce30d394b0e..bf7ea0d12b4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index 6f5fcc1191d..9a1a88e1d31 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz index 7d5d5f2d73d..3010e1ea0ec 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz index 8b551f1b9d2..bd6318509f9 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz index 35872d6a4d7..b73d3cb13cf 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz index dc2e8c05012..82efa25c272 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz similarity index 99% rename from detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz rename to detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz index 2e86536ea5b..606ff8a1f93 100644 Binary files a/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz new file mode 100644 index 00000000000..84271da92fb Binary files /dev/null and b/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index b1ed4c067e4..6f6348e4bd4 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index a55e4ef2382..1bd3454deb0 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 3614c7b9c50..7aa867fca11 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -135,11 +135,11 @@ endgame: "8.4.0" "9.1.0": - beats: "9.0.3" - ecs: "9.0.0" + beats: "9.1.3" + ecs: "9.1.0" endgame: "8.4.0" "9.2.0": - beats: "9.0.3" - ecs: "9.0.0" + beats: "9.1.3" + ecs: "9.1.0" endgame: "8.4.0" \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index a9f9f718aa3..88543297bb5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.3.26" +version = "1.3.27" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml b/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml index 5aac18b3395..9b885eab6ea 100644 --- a/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml +++ b/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml @@ -3,7 +3,7 @@ creation_date = "2025/08/19" integration = ["o365"] maturity = "production" promotion = true -updated_date = "2025/08/19" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -23,6 +23,42 @@ language = "kuery" license = "Elastic License v2" max_signals = 1000 name = "M365 Threat Intelligence Signal" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating M365 Threat Intelligence Signal + +Microsoft 365 Threat Intelligence leverages audit logs to monitor activities across services like Exchange Online and SharePoint. Adversaries may exploit these platforms for phishing, gaining initial access. The detection rule identifies signals from Microsoft Defender, focusing on audit logs tagged with "ThreatIntelligence," to pinpoint potential abuse, assigning a medium risk score to such events. + +### Possible investigation steps + +- Review the audit logs filtered by event.dataset: "o365.audit" and event.provider: "ThreatIntelligence" to identify the specific activities flagged by the rule. +- Examine the user accounts associated with the flagged activities to determine if they have been compromised or are behaving anomalously. +- Investigate the source IP addresses and locations associated with the flagged events to identify any unusual or suspicious access patterns. +- Check for any related alerts or signals in Microsoft Defender for Office 365 that might provide additional context or corroborate the threat. +- Assess the potential impact on Exchange Online, SharePoint Online, and OneDrive for Business by reviewing any changes or access attempts to sensitive data or configurations. +- Determine if the flagged activities align with known phishing techniques (MITRE ATT&CK T1566) and assess the likelihood of initial access attempts. + +### False positive analysis + +- Routine administrative activities in Exchange Online or SharePoint Online may trigger audit logs tagged with "ThreatIntelligence" without indicating malicious intent. Review these logs to identify patterns of legitimate administrative actions and consider excluding them from the detection rule. +- Automated processes or third-party integrations with Microsoft 365 services can generate audit logs similar to those flagged by the rule. Identify these processes and create exceptions for known benign activities to reduce false positives. +- Frequent file sharing or collaboration activities in OneDrive for Business might be misinterpreted as potential threats. Analyze the context of these activities and exclude regular business operations from the rule to prevent unnecessary alerts. +- Regular updates or maintenance tasks performed by IT staff can appear as suspicious activities. Establish a baseline of expected behavior during these periods and adjust the detection rule to accommodate these known activities. +- User training sessions or onboarding processes may involve actions that mimic initial access tactics. Monitor these events and exclude them from the rule when they align with scheduled training or onboarding activities. + +### Response and remediation + +- Immediately isolate any affected accounts or systems identified in the audit logs to prevent further unauthorized access or data exfiltration. +- Conduct a thorough review of the audit logs to identify any additional suspicious activities or compromised accounts related to the Threat Intelligence signals. +- Reset passwords for compromised accounts and enforce multi-factor authentication to enhance security and prevent further unauthorized access. +- Notify relevant stakeholders, including IT security teams and management, about the incident and potential impact, ensuring alignment on response actions. +- Escalate the incident to Microsoft support if necessary, providing detailed information from the audit logs to assist in further investigation and resolution. +- Implement additional monitoring and alerting for similar threat indicators to enhance detection capabilities and prevent recurrence. +- Review and update security policies and configurations for Exchange Online, SharePoint Online, and OneDrive for Business to mitigate vulnerabilities exploited by adversaries. +""" references = [ "https://learn.microsoft.com/en-us/purview/audit-supported-services", "https://www.octiga.io/en-gb/insights/nist-csf-for-office-365", @@ -44,6 +80,7 @@ tags = [ "Data Source: Microsoft Defender Threat Intelligence", "Use Case: Threat Detection", "Tactic: Initial Access", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml index 1b37fa8af74..8dfe7464b01 100644 --- a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml +++ b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/24" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -15,6 +15,48 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Multi-Base64 Decoding Attempt from Suspicious Location" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Multi-Base64 Decoding Attempt from Suspicious Location + +Base64 encoding is a common method to encode binary data into ASCII text, often used for data transmission. Adversaries exploit this by encoding malicious payloads to evade detection. The detection rule identifies suspicious decoding activities, especially from unusual directories, by monitoring rapid sequences of decoding commands. It excludes benign processes to reduce false positives, focusing on potential threats in Linux environments. + +### Possible investigation steps + +- Review the process details, including the parent entity ID and executable path, to understand the context of the decoding activity and identify the parent process responsible for initiating the base64 commands. +- Examine the working directory where the decoding occurred, focusing on suspicious locations such as "/tmp/*", "/var/tmp*", "/dev/shm/*", "/var/www/*", "/home/*", and "/root/*" to determine if the activity aligns with typical usage patterns or if it indicates potential malicious behavior. +- Analyze the command-line arguments used in the decoding process, specifically looking for "-d*" or "--d*" flags, to assess whether the decoding was intended to obfuscate data or execute hidden payloads. +- Investigate the sequence of events within the 3-second maxspan to identify any rapid or automated decoding attempts that could suggest scripted or malicious activity. +- Check for any exclusions in the rule, such as known benign processes or directories, to ensure the alert is not a false positive and the activity is genuinely suspicious. +- Correlate the alert with other security events or logs from the same host or network segment to gather additional context and determine if this is part of a larger attack or isolated incident. + +### False positive analysis + +- Scheduled tasks or cron jobs may trigger base64 decoding in benign processes. Exclude known executables like "/etc/cron.daily/vivaldi" and "/etc/cron.daily/opera-browser" to reduce false positives. +- System management tools or agents, such as those located in "/opt/microsoft/omsagent/plugin" or "/opt/rapid7/ir_agent/*", might use base64 decoding for legitimate purposes. Add these directories to the exclusion list to prevent unnecessary alerts. +- Temporary directories like "/tmp/newroot/*" may be used by legitimate applications for transient data processing. Consider excluding these paths if they are frequently involved in non-malicious activities. +- User scripts or applications in home directories may use base64 for encoding or decoding data. Monitor and whitelist specific user processes that are known to be safe to avoid false positives. +- Regularly review and update the exclusion list based on observed benign activities to ensure the rule remains effective without generating excessive false alerts. + +### Response and remediation + +- Immediately isolate the affected system to prevent further execution of potentially malicious payloads. Disconnect the system from the network to contain the threat. + +- Review and terminate any suspicious processes identified by the detection rule, particularly those involving base64 decoding from unusual directories. Use process management tools to kill these processes. + +- Conduct a thorough examination of the directories flagged by the alert (e.g., /tmp, /var/tmp, /dev/shm) to identify and remove any malicious files or scripts. Ensure these directories are cleaned of unauthorized or suspicious content. + +- Restore the system from a known good backup if any malicious activity is confirmed, ensuring that the backup is free from compromise. + +- Escalate the incident to the security operations team for further investigation and analysis. Provide them with logs and details of the processes and directories involved for deeper threat assessment. + +- Implement additional monitoring and alerting for similar suspicious activities, focusing on rapid sequences of base64 decoding commands and unusual directory usage to enhance detection capabilities. + +- Review and update access controls and permissions for the directories involved to prevent unauthorized access and execution of potentially harmful scripts or binaries. +""" risk_score = 21 rule_id = "03d856c2-7f74-4540-a530-e20af5e39789" setup = """## Setup @@ -50,6 +92,7 @@ tags = [ "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", + "Resources: Investigation Guide" ] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 13d07e09b4a..9724eb9f0d7 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -120,9 +120,9 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] -id = "T1574.002" -name = "DLL Side-Loading" -reference = "https://attack.mitre.org/techniques/T1574/002/" +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index ba2cc403a99..2722e230a33 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2025/09/01" [rule] author = ["Elastic", "Dennis Perto"] @@ -111,9 +111,9 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] -id = "T1574.002" -name = "DLL Side-Loading" -reference = "https://attack.mitre.org/techniques/T1574/002/" +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index ba8e90302ae..776aef92a73 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -16,6 +16,40 @@ index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Unsigned DLL Side-Loading from a Suspicious Folder" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unsigned DLL Side-Loading from a Suspicious Folder + +DLL side-loading exploits the trust of signed executables to load malicious DLLs, often from suspicious directories. Adversaries use this to bypass security measures by placing unsigned DLLs in locations mimicking legitimate paths. The detection rule identifies this by checking for trusted programs loading recently modified, unsigned DLLs from atypical directories, signaling potential evasion tactics. + +### Possible investigation steps + +- Review the process code signature to confirm the legitimacy of the trusted program that loaded the DLL. Check if the process is expected to run from the identified directory. +- Examine the DLL's path and creation or modification time to determine if it aligns with typical user or system activity. Investigate why the DLL was recently modified or created. +- Analyze the DLL's code signature status to understand why it is unsigned or has an error status. This can help identify if the DLL is potentially malicious. +- Investigate the parent process and any associated child processes to understand the context of the DLL loading event. This can provide insights into how the DLL was introduced. +- Check for any recent changes or anomalies in the system or user activity logs around the time the DLL was created or modified to identify potential indicators of compromise. +- Correlate the alert with other security events or alerts in the environment to determine if this is part of a broader attack or isolated incident. + +### False positive analysis + +- Legitimate software updates or installations may temporarily load unsigned DLLs from atypical directories. Users can create exceptions for known update processes by verifying the source and ensuring the process is part of a legitimate update. +- Custom or in-house applications might load unsigned DLLs from non-standard directories. Users should verify the application's behavior and, if deemed safe, exclude these specific paths or processes from the rule. +- Development environments often involve testing unsigned DLLs in various directories. Developers can exclude these environments by specifying the directories or processes involved in the development workflow. +- Some third-party security or system management tools may use unsigned DLLs for legitimate purposes. Users should confirm the tool's legitimacy and add exceptions for these tools to prevent false positives. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. +- Terminate the process associated with the unsigned DLL to stop any ongoing malicious operations. +- Quarantine the suspicious DLL file and any related files for further analysis to understand the scope and nature of the threat. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants. +- Review and restore any altered system configurations or settings to their original state to ensure system integrity. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has impacted other systems. +- Implement additional monitoring and logging on the affected system and network to detect any recurrence or similar threats in the future.""" references = [ "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", ] @@ -126,40 +160,6 @@ library where host.os.type == "windows" and /* DLL loaded from the process.executable current directory */ endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1))) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Unsigned DLL Side-Loading from a Suspicious Folder - -DLL side-loading exploits the trust of signed executables to load malicious DLLs, often from suspicious directories. Adversaries use this to bypass security measures by placing unsigned DLLs in locations mimicking legitimate paths. The detection rule identifies this by checking for trusted programs loading recently modified, unsigned DLLs from atypical directories, signaling potential evasion tactics. - -### Possible investigation steps - -- Review the process code signature to confirm the legitimacy of the trusted program that loaded the DLL. Check if the process is expected to run from the identified directory. -- Examine the DLL's path and creation or modification time to determine if it aligns with typical user or system activity. Investigate why the DLL was recently modified or created. -- Analyze the DLL's code signature status to understand why it is unsigned or has an error status. This can help identify if the DLL is potentially malicious. -- Investigate the parent process and any associated child processes to understand the context of the DLL loading event. This can provide insights into how the DLL was introduced. -- Check for any recent changes or anomalies in the system or user activity logs around the time the DLL was created or modified to identify potential indicators of compromise. -- Correlate the alert with other security events or alerts in the environment to determine if this is part of a broader attack or isolated incident. - -### False positive analysis - -- Legitimate software updates or installations may temporarily load unsigned DLLs from atypical directories. Users can create exceptions for known update processes by verifying the source and ensuring the process is part of a legitimate update. -- Custom or in-house applications might load unsigned DLLs from non-standard directories. Users should verify the application's behavior and, if deemed safe, exclude these specific paths or processes from the rule. -- Development environments often involve testing unsigned DLLs in various directories. Developers can exclude these environments by specifying the directories or processes involved in the development workflow. -- Some third-party security or system management tools may use unsigned DLLs for legitimate purposes. Users should confirm the tool's legitimacy and add exceptions for these tools to prevent false positives. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity. -- Terminate the process associated with the unsigned DLL to stop any ongoing malicious operations. -- Quarantine the suspicious DLL file and any related files for further analysis to understand the scope and nature of the threat. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants. -- Review and restore any altered system configurations or settings to their original state to ensure system integrity. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has impacted other systems. -- Implement additional monitoring and logging on the affected system and network to detect any recurrence or similar threats in the future.""" [[rule.threat]] @@ -179,9 +179,9 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] -id = "T1574.002" -name = "DLL Side-Loading" -reference = "https://attack.mitre.org/techniques/T1574/002/" +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 0e7351cbc5e..d263bc52ad1 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/08/29" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -160,23 +160,6 @@ any where host.os.type == "windows" and ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.002" -name = "DLL Side-Loading" -reference = "https://attack.mitre.org/techniques/T1574/002/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -191,9 +174,9 @@ reference = "https://attack.mitre.org/techniques/T1574/001/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -211,4 +194,21 @@ reference = "https://attack.mitre.org/techniques/T1036/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index cf962445d86..db0e8042ad4 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -124,9 +124,9 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] -id = "T1574.002" -name = "DLL Side-Loading" -reference = "https://attack.mitre.org/techniques/T1574/002/" +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 810da14702d..87e086c3d31 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -93,9 +93,9 @@ name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] -id = "T1574.002" -name = "DLL Side-Loading" -reference = "https://attack.mitre.org/techniques/T1574/002/" +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index 99e8191af4c..afce0c6f8cd 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/05" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -133,9 +133,9 @@ name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] -id = "T1574.002" -name = "DLL Side-Loading" -reference = "https://attack.mitre.org/techniques/T1574/002/" +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/"