[Bug] ESQL validation support fix#5970
Merged
eric-forte-elastic merged 1 commit intomainfrom Apr 22, 2026
Merged
Conversation
eric-forte-elastic
added
python
Contributor
Bug - GuidelinesThese guidelines serve as a reminder set of considerations when addressing a bug in the code. Documentation and Context
Code Standards and Practices
Testing
Additional Checks
|
shashank-elastic
approved these changes
Apr 22, 2026
Contributor
shashank-elastic
left a comment
shashank-elastic
left a comment
There was a problem hiding this comment.
Tested the revert locally on 8.19 and the fix works as expected.
Details
detection-rules (2e8ff76) [$?] is 📦 v1.6.14 via 🐍 v3.12.8 (.venv) on ☁️ shashank.suryanarayana@elastic.co
❯ python -m detection_rules view-rule rules/cross-platform/credential_access_grep_recursive_credential_discovery.toml --esql-remote-validation
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
/Users/shashankks/elastic_workspace/detection-rules/detection_rules/index_mappings.py:366: ElasticsearchWarning: No limit defined, adding default limit of [1000]
response = elastic_client.esql.query(query=query)
{
"author": [
"Elastic"
],
"description": "Identifies recursive grep activity on Linux or macOS where the command line suggests hunting for secrets, credentials, keys, tokens, or sensitive paths (for example .env, .git, .aws). Events are aggregated per host, user, parent process, and one-minute window, the rule surfaces activity only when at least three distinct grep command lines match in the same bucket, to reduce noise from one-off searches.",
"from": "now-9m",
"interval": "5m",
"language": "esql",
"license": "Elastic License v2",
"name": "Potential Credential Discovery via Recursive Grep",
"note": "## Triage and analysis\n\n### Investigating Potential Credential Discovery via Recursive Grep\n\nAdversaries and insider threats sometimes use `grep -r` (or `--recursive`, `-R`) across directories to find passwords,\nAPI keys, private keys, cloud tokens, or repository and environment files. This rule looks for `grep`/`egrep` process\nstarts with recursive flags and command-line patterns associated with credential and secret discovery, then requires\n**three or more distinct command lines** in the same one-minute bucket per host, user, and parent process.\n\n### Possible investigation steps\n\n- Review **Esql.cmd_values** for the exact patterns searched (paths, regex, file globs).\n- Inspect **Esql.pcmd_values** and **process.parent.name** to see the launch context (interactive shell, script, IDE, CI).\n- Confirm whether the user and host normally run security scans, audits, or developer tooling that legitimately greps for secrets.\n- If suspicious, search the same host for file access, archive exfiltration, or cloud API use in the surrounding timeframe.\n\n### False positive analysis\n\n- Security scanners, secret scanners (e.g. in CI), and compliance scripts may match. Tune by **parent process**, **user**,\n **working directory**, or organizational allowlists.\n- Legitimate searches in documentation for the word \"password\" can match; the **unique_cmd >= 3** threshold reduces but\n does not eliminate this.\n\n### Response and remediation\n\n- If unauthorized: contain the host, reset or rotate any credentials that may have been exposed, and review VCS and\n cloud audit logs for follow-on abuse.\n",
"query": "from logs-endpoint.events.process-* metadata _id, _version, _index\n| where host.os.type in (\"linux\", \"macos\")\n and event.category == \"process\"\n and process.name in (\"grep\", \"egrep\")\n and (to_lower(process.command_line) like \"* -r*\" or to_lower(process.command_line) like \"*--recursive*\")\n and (\n process.command_line like \"*password*\"\n or process.command_line like \"*passwd*\"\n or process.command_line like \"*pwd*\"\n or process.command_line like \"*secret*\"\n or process.command_line like \"*token*\"\n or process.command_line like \"*apikey*\"\n or process.command_line like \"*api_key*\"\n or process.command_line like \"*api.key*\"\n or process.command_line like \"*access_key*\"\n or process.command_line like \"*private_key*\"\n or process.command_line like \"*client_secret*\"\n or process.command_line like \"*credential*\"\n or process.command_line like \"*auth*\"\n or process.command_line like \"*bearer*\"\n or process.command_line like \"*BEGIN*PRIVATE*KEY*\"\n or process.command_line like \"*ssh-rsa*\"\n or process.command_line like \"*ghp_*\"\n or process.command_line like \"*github_pat*\"\n or process.command_line like \"*xoxb-*\"\n or process.command_line like \"*hooks.slack.com*\"\n or process.command_line like \"*discord.com/api/webhooks*\"\n or process.command_line like \"*/.aws/*\"\n or process.command_line like \"*/.git/*\"\n or process.command_line like \"*/.env*\"\n )\n and (process.parent.command_line is null or not (to_lower(process.parent.command_line) like \"*shell-snapshots*\" and process.parent.name in (\"bash\", \"sh\", \"zsh\")))\n| eval Esql.time_bucket = date_trunc(1 minute, @timestamp)\n| stats Esql.unique_cmd = count_distinct(process.command_line),\n Esql.cmd_values = values(process.command_line),\n Esql.pcmd_values = values(process.parent.command_line)\n by process.name, host.id, host.name, agent.id, process.parent.name, user.name, Esql.time_bucket\n| where Esql.unique_cmd >= 3\n| keep host.id, host.name, agent.id, user.name, process.parent.name, Esql.*\n",
"references": [
"https://attack.mitre.org/techniques/T1552/001/",
"https://attack.mitre.org/techniques/T1083/"
],
"related_integrations": [
{
"package": "endpoint",
"version": "^9.0.0"
}
],
"required_fields": [
{
"ecs": false,
"name": "Esql.cmd_values",
"type": "keyword"
},
{
"ecs": false,
"name": "Esql.pcmd_values",
"type": "keyword"
},
{
"ecs": false,
"name": "Esql.time_bucket",
"type": "date"
},
{
"ecs": false,
"name": "Esql.unique_cmd",
"type": "long"
},
{
"ecs": true,
"name": "agent.id",
"type": "keyword"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "host.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.name",
"type": "keyword"
},
{
"ecs": true,
"name": "user.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "b8e4c2a1-7f3d-4e9b-8c5a-1d0e6f2a4b8c",
"severity": "high",
"tags": [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Discovery",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1552",
"name": "Unsecured Credentials",
"reference": "https://attack.mitre.org/techniques/T1552/",
"subtechnique": [
{
"id": "T1552.001",
"name": "Credentials In Files",
"reference": "https://attack.mitre.org/techniques/T1552/001/"
}
]
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0007",
"name": "Discovery",
"reference": "https://attack.mitre.org/tactics/TA0007/"
},
"technique": [
{
"id": "T1083",
"name": "File and Directory Discovery",
"reference": "https://attack.mitre.org/techniques/T1083/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "esql",
"version": 1
}
detection-rules (2e8ff76) [$?] is 📦 v1.6.14 via 🐍 v3.12.8 (.venv) on ☁️ shashank.suryanarayana@elastic.co took 9s
❯ git checkout main
Mikaayenson
approved these changes
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s):
Related to #5918
Summary - What I changed
An ES|QL validation PR: #5925 introduced an optimization to catch field validation issues on stack version prior to backporting.
However, this update did not take into account that we also run ES|QL validation on the old stack branches during the release process. Outside of the release process this is not done, so it appeared that we could make this optimization.
The lock versions job is run from main, so the validation occurs, but the context/checkout of the repo is on older branches e.g. 8.19 (failed run)
This PR reverts the optimization to address lock version errors. Re-introduces the risk needing to be careful with ES|QL PRs like #5923, but this is unavoidable given the required release process.
How To Test
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist