PyPI - nldcsc-elastic-rules - Versions diffs - 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl - Mend

nldcsc-elastic-rules 0.0.8py3-none-any.whl → 0.0.16py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (123) hide show

nldcsc_elastic_rules/rules/integrations/fim/persistence_suspicious_file_modifications.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2024/06/03"
 integration = ["fim"]
 maturity = "production"
-updated_date = "2025/01/22"
+updated_date = "2025/12/04"
 [rule]
 author = ["Elastic"]
@@ -21,6 +21,10 @@ name = "Potential Persistence via File Modification"
 references = [
     "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
     "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
+    "https://www.elastic.co/security-labs/continuation-on-persistence-mechanisms",
+    "https://www.elastic.co/security-labs/approaching-the-summit-on-persistence",
+    "https://www.elastic.co/security-labs/the-grand-finale-on-linux-persistence",
+    "https://slayer0x.github.io/awscli/",
 ]
 risk_score = 21
 rule_id = "192657ba-ab0e-4901-89a2-911d611eee98"
@@ -94,6 +98,10 @@ file.path : (
   "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish",
   "/home/*/.kshrc", "/root/.kshrc",
+  // Alias files
+  "/home/*/.bash_aliases", "/root/.bash_aliases", "/home/*/.zsh_aliases", "/root/.zsh_aliases",
+  "/home/*/.aws/cli/alias", "/root/.aws/cli/alias",
   // runtime control
   "/etc/rc.common", "/etc/rc.local",

nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_error_message_spike.toml ADDED Viewed

@@ -0,0 +1,95 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["gcp"]
+maturity = "production"
+min_stack_comments = "New job added"
+min_stack_version = "9.3.0"
+updated_date = "2025/11/21"
+[rule]
+anomaly_threshold = 50
+author = ["Elastic"]
+description = """
+A machine learning job detected a significant spike in the rate of a particular failure in the GCP Audit messages. Spikes
+in failed messages may accompany attempts at privilege escalation, lateral movement, or discovery.
+"""
+false_positives = [
+    """
+    Spikes in failures can also be due to bugs in cloud automation scripts or workflows; changes to cloud
+    automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM
+    privileges.
+    """,
+]
+from = "now-60m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "gcp_audit_high_distinct_count_error_message"
+name = "Spike in GCP Audit Failed Messages"
+setup = """## Setup
+This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP Audit.
+### Anomaly Detection Setup
+Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
+### GCP Audit logs Integration Setup
+The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent.
+#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system:
+- Go to the Kibana home page and click “Add integrations”.
+- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it.
+- Click “Add Google Cloud Platform (GCP) Audit logs".
+- Configure the integration.
+- Click “Save and Continue”.
+- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp).
+"""
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "a4b740e4-be17-4048-9aa4-1e6f42b455b1"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: GCP",
+    "Data Source: GCP Audit Logs",
+    "Data Source: Google Cloud Platform",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+[[rule.threat.technique]]
+id = "T1526"
+name = "Cloud Service Discovery"
+reference = "https://attack.mitre.org/techniques/T1526/"
+[[rule.threat.technique]]
+id = "T1580"
+name = "Cloud Infrastructure Discovery"
+reference = "https://attack.mitre.org/techniques/T1580/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"

nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_error_code.toml ADDED Viewed

@@ -0,0 +1,118 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["gcp"]
+maturity = "production"
+min_stack_comments = "New job added"
+min_stack_version = "9.3.0"
+updated_date = "2025/11/21"
+[rule]
+anomaly_threshold = 50
+author = ["Elastic"]
+description = """
+A machine learning job detected an unusual failure in a GCP Audit message. These can be byproducts of attempted or
+successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.
+"""
+false_positives = [
+    """
+    Rare and unusual failures may indicate an impending service failure state. Rare and unusual user failure activity can
+    also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud
+    automation scripts or workflows, or changes to IAM privileges.
+    """,
+]
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "gcp_audit_rare_error_code"
+name = "Rare GCP Audit Failure Event Code"
+setup = """## Setup
+This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP.
+### Anomaly Detection Setup
+Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
+### GCP Audit logs Integration Setup
+The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent.
+#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system:
+- Go to the Kibana home page and click “Add integrations”.
+- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it.
+- Click “Add Google Cloud Platform (GCP) Audit logs".
+- Configure the integration.
+- Click “Save and Continue”.
+- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp).
+"""
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "5378a829-30c2-435a-a0f2-e3d794bd6f80"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: GCP",
+    "Data Source: GCP Audit Logs",
+    "Data Source: Google Cloud Platform",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+[[rule.threat.technique]]
+id = "T1526"
+name = "Cloud Service Discovery"
+reference = "https://attack.mitre.org/techniques/T1526/"
+[[rule.threat.technique]]
+id = "T1580"
+name = "Cloud Infrastructure Discovery"
+reference = "https://attack.mitre.org/techniques/T1580/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"

nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml ADDED Viewed

@@ -0,0 +1,79 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["gcp"]
+maturity = "production"
+min_stack_comments = "New job added"
+min_stack_version = "9.3.0"
+updated_date = "2025/11/21"
+[rule]
+anomaly_threshold = 50
+author = ["Elastic"]
+description = """
+A machine learning job detected GCP Audit event activity that, while not inherently suspicious or abnormal, is sourcing from
+a geolocation (city) that is unusual for the event action. This can be the result of compromised credentials or keys being
+used by a threat actor in a different geography than the authorized user(s).
+"""
+false_positives = [
+    """
+    New or unusual event and user geolocation activity can be due to manual troubleshooting or reconfiguration;
+    changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased
+    adoption of work from home policies; or users who travel frequently.
+    """,
+]
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "gcp_audit_rare_method_for_a_city"
+name = "Unusual City For a GCP Event"
+setup = """## Setup
+This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP.
+### Anomaly Detection Setup
+Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
+### GCP Audit logs Integration Setup
+The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent.
+#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system:
+- Go to the Kibana home page and click “Add integrations”.
+- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it.
+- Click “Add Google Cloud Platform (GCP) Audit logs".
+- Configure the integration.
+- Click “Save and Continue”.
+- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp).
+"""
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "f20d1782-e783-4ed0-a0c4-946899a98a7c"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: GCP",
+    "Data Source: GCP Audit Logs",
+    "Data Source: Google Cloud Platform",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"

nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml ADDED Viewed

@@ -0,0 +1,79 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["gcp"]
+maturity = "production"
+min_stack_comments = "New job added"
+min_stack_version = "9.3.0"
+updated_date = "2025/11/21"
+[rule]
+anomaly_threshold = 50
+author = ["Elastic"]
+description = """
+A machine learning job detected GCP Audit event activity that, while not inherently suspicious or abnormal, is sourcing from
+a geolocation (country) that is unusual for the event action. This can be the result of compromised credentials or keys being
+used by a threat actor in a different geography than the authorized user(s).
+"""
+false_positives = [
+    """
+    New or unusual event and user geolocation activity can be due to manual troubleshooting or reconfiguration;
+    changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased
+    adoption of work from home policies; or users who travel frequently.
+    """,
+]
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "gcp_audit_rare_method_for_a_country"
+name = "Unusual Country For a GCP Event"
+setup = """## Setup
+This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP.
+### Anomaly Detection Setup
+Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
+### GCP Audit logs Integration Setup
+The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent.
+#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system:
+- Go to the Kibana home page and click “Add integrations”.
+- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it.
+- Click “Add Google Cloud Platform (GCP) Audit logs".
+- Configure the integration.
+- Click “Save and Continue”.
+- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp).
+"""
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "dcbd07f8-bd6e-4bb4-ac5d-cec1927ea88f"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: GCP",
+    "Data Source: GCP Audit Logs",
+    "Data Source: Google Cloud Platform",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"

nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml ADDED Viewed

@@ -0,0 +1,117 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["gcp"]
+maturity = "production"
+min_stack_comments = "New job added"
+min_stack_version = "9.3.0"
+updated_date = "2025/11/21"
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job detected an GCP Audit event that, while not inherently suspicious or abnormal, is being made by a
+user context that does not normally use the event action. This can be the result of compromised credentials or keys as
+someone uses a valid account to persist, move laterally, or exfiltrate data.
+"""
+false_positives = [
+    """
+    New or unusual user event activity can be due to manual troubleshooting or reconfiguration; changes in cloud
+    automation scripts or workflows; adoption of new services; or changes in the way services are used.
+    """,
+]
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "gcp_audit_rare_method_for_a_client_user_email"
+name = "Unusual GCP Event for a User"
+setup = """## Setup
+This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP.
+### Anomaly Detection Setup
+Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
+### GCP Audit logs Integration Setup
+The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent.
+#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system:
+- Go to the Kibana home page and click “Add integrations”.
+- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it.
+- Click “Add Google Cloud Platform (GCP) Audit logs".
+- Configure the integration.
+- Click “Save and Continue”.
+- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp).
+"""
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "2e08f34c-691c-497e-87de-5d794a1b2a53"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: GCP",
+    "Data Source: GCP Audit Logs",
+    "Data Source: Google Cloud Platform",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+[[rule.threat.technique.subtechnique]]
+id = "T1021.007"
+name = "Cloud Services"
+reference = "https://attack.mitre.org/techniques/T1021/007/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"

nldcsc_elastic_rules/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml ADDED Viewed

@@ -0,0 +1,92 @@
+[metadata]
+creation_date = "2025/11/28"
+integration = ["github"]
+maturity = "production"
+updated_date = "2025/11/28"
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects the creation of a self-hosted Github runner from a first time seen user.name in the last 5 days. Adversaries
+may abuse self-hosted runners to execute workflow jobs on customer infrastructure.
+"""
+false_positives = [
+    "Authorized self-hosted GitHub actions runner.",
+]
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "New GitHub Self Hosted Action Runner"
+note = """## Triage and analysis
+### Investigating New GitHub Self Hosted Action Runner
+Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host.
+### Possible investigation steps
+- Validate the user is authoried to perform this change
+- Review the purpose of the self-hosted action runner and what actions will be executed.
+- Verify if there is any adjascent  sensitive file access or collection.
+- Correlate with other alerts and investiguate if this activity is related to a supply chain attack.
+### False positive analysis
+- Authorized github self-hosted actions runner.
+### Response and remediation
+- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement.
+- Terminate any suspicious child processes that were initiated by the Github actions runner.
+- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise.
+- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed.
+- Implement application whitelisting to prevent unauthorized execution.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network."""
+references = [
+    "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
+    "https://socket.dev/blog/shai-hulud-strikes-again-v2",
+]
+risk_score = 47
+rule_id = "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Data Source: Github",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+event.dataset:"github.audit" and event.category:"configuration" and event.action:"enterprise.register_self_hosted_runner"
+'''
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1195"
+name = "Supply Chain Compromise"
+reference = "https://attack.mitre.org/techniques/T1195/"
+[[rule.threat.technique.subtechnique]]
+id = "T1195.002"
+name = "Compromise Software Supply Chain"
+reference = "https://attack.mitre.org/techniques/T1195/002/"
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.name", "github.actor_ip"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-5d"

nldcsc_elastic_rules/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/02/19"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/11/25"
 [rule]
 author = ["Elastic"]
@@ -83,28 +83,38 @@ type = "esql"
 query = '''
 from logs-o365.audit-*
 | where
-    @timestamp > now() - 14d and
     event.dataset == "o365.audit" and
     event.provider == "OneDrive" and
     event.action == "FileDownloaded" and
     o365.audit.AuthenticationType == "OAuth" and
     event.outcome == "success"
-| eval
-    Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
-| keep
-    Esql.time_window_date_trunc,
-    o365.audit.UserId,
-    file.name,
-    source.ip
+    and (user.id is not null and o365.audit.ApplicationId is not null)
+| eval session.id = coalesce(o365.audit.AppAccessContext.AADSessionId, session.id, null)
+| where session.id is not null
+| eval Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
 | stats
+    Esql.file_directory_values = values(file.directory),
+    Esql.file_extension_values = values(file.extension),
+    Esql.application_name_values = values(application.name),
     Esql.file_name_count_distinct = count_distinct(file.name),
+    Esql.o365_audit_Site_values = values(o365.audit.Site),
+    Esql.o365_audit_SiteUrl_values = values(o365.audit.SiteUrl),
+    Esql.user_domain_values = values(user.domain),
+    Esql.token_id_values = values(token.id),
     Esql.event_count = count(*)
-  by
+by
     Esql.time_window_date_trunc,
-    o365.audit.UserId,
-    source.ip
-| where
-    Esql.file_name_count_distinct >= 25
+    user.id,
+    session.id,
+    source.ip,
+    o365.audit.ApplicationId
+| where Esql.file_name_count_distinct >= 25
+| keep
+    Esql.*,
+    user.id,
+    source.ip,
+    o365.audit.ApplicationId,
+    session.id
 '''

nldcsc-elastic-rules 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl

nldcsc-elastic-rules 0.0.8py3-none-any.whl → 0.0.16py3-none-any.whl