nldcsc-elastic-rules 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (123) hide show
  1. nldcsc_elastic_rules/__init__.py +1 -1
  2. nldcsc_elastic_rules/rules/{linux → cross-platform}/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +32 -11
  3. nldcsc_elastic_rules/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml +134 -0
  4. nldcsc_elastic_rules/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml +128 -0
  5. nldcsc_elastic_rules/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml +154 -0
  6. nldcsc_elastic_rules/rules/cross-platform/credential_access_gitleaks_execution.toml +114 -0
  7. nldcsc_elastic_rules/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml +198 -0
  8. nldcsc_elastic_rules/rules/cross-platform/credential_access_trufflehog_execution.toml +24 -5
  9. nldcsc_elastic_rules/rules/cross-platform/defense_evasion_genai_config_modification.toml +120 -0
  10. nldcsc_elastic_rules/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml +158 -0
  11. nldcsc_elastic_rules/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml +172 -0
  12. nldcsc_elastic_rules/rules/cross-platform/defense_evasion_potential_http_downgrade_attack.toml +98 -0
  13. nldcsc_elastic_rules/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml +172 -0
  14. nldcsc_elastic_rules/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml +133 -0
  15. nldcsc_elastic_rules/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml +250 -0
  16. nldcsc_elastic_rules/rules/{linux/persistence_nodejs_pre_or_post_install_script_execution.toml → cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml} +40 -24
  17. nldcsc_elastic_rules/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml +146 -0
  18. nldcsc_elastic_rules/rules/cross-platform/execution_register_github_actions_runner.toml +126 -0
  19. nldcsc_elastic_rules/rules/cross-platform/execution_via_github_actions_runner.toml +130 -0
  20. nldcsc_elastic_rules/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml +163 -0
  21. nldcsc_elastic_rules/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml +130 -0
  22. nldcsc_elastic_rules/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml +145 -0
  23. nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml +4 -1
  24. nldcsc_elastic_rules/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +3 -4
  25. nldcsc_elastic_rules/rules/cross-platform/persistence_web_server_potential_command_injection.toml +23 -25
  26. nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml +13 -14
  27. nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +8 -5
  28. nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml +12 -12
  29. nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +37 -43
  30. nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_rds_instance_restored.toml +137 -45
  31. nldcsc_elastic_rules/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml +152 -0
  32. nldcsc_elastic_rules/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml +242 -0
  33. nldcsc_elastic_rules/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +141 -33
  34. nldcsc_elastic_rules/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml +108 -30
  35. nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml +2 -1
  36. nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml +114 -27
  37. nldcsc_elastic_rules/rules/integrations/aws/impact_efs_filesystem_deleted.toml +174 -0
  38. nldcsc_elastic_rules/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +111 -33
  39. nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +129 -43
  40. nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml +89 -27
  41. nldcsc_elastic_rules/rules/integrations/aws/impact_rds_snapshot_deleted.toml +127 -37
  42. nldcsc_elastic_rules/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml +160 -43
  43. nldcsc_elastic_rules/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml +20 -10
  44. nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +35 -1
  45. nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +59 -1
  46. nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +19 -1
  47. nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +19 -1
  48. nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +58 -1
  49. nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml +109 -35
  50. nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_instance_made_public.toml +103 -22
  51. nldcsc_elastic_rules/rules/integrations/aws/persistence_redshift_instance_creation.toml +3 -3
  52. nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml +126 -69
  53. nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml +134 -0
  54. nldcsc_elastic_rules/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml +2 -2
  55. nldcsc_elastic_rules/rules/integrations/azure/ml_azure_event_failures.toml +124 -0
  56. nldcsc_elastic_rules/rules/integrations/azure/ml_azure_rare_event_failures.toml +148 -0
  57. nldcsc_elastic_rules/rules/integrations/azure/ml_azure_rare_method_by_city.toml +109 -0
  58. nldcsc_elastic_rules/rules/integrations/azure/ml_azure_rare_method_by_country.toml +108 -0
  59. nldcsc_elastic_rules/rules/integrations/azure/ml_azure_rare_method_by_user.toml +147 -0
  60. nldcsc_elastic_rules/rules/integrations/fim/persistence_suspicious_file_modifications.toml +9 -1
  61. nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_error_message_spike.toml +95 -0
  62. nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_error_code.toml +118 -0
  63. nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml +79 -0
  64. nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml +79 -0
  65. nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml +117 -0
  66. nldcsc_elastic_rules/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml +92 -0
  67. nldcsc_elastic_rules/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +24 -14
  68. nldcsc_elastic_rules/rules/linux/defense_evasion_file_deletion_via_shred.toml +12 -5
  69. nldcsc_elastic_rules/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml +150 -0
  70. nldcsc_elastic_rules/rules/linux/persistence_at_job_creation.toml +4 -4
  71. nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_creation.toml +12 -7
  72. nldcsc_elastic_rules/rules/linux/persistence_pth_file_creation.toml +6 -1
  73. nldcsc_elastic_rules/rules/linux/persistence_site_and_user_customize_file_creation.toml +6 -1
  74. nldcsc_elastic_rules/rules/linux/persistence_web_server_unusual_command_execution.toml +155 -0
  75. nldcsc_elastic_rules/rules/ml/ml_high_count_events_for_a_host_name.toml +58 -1
  76. nldcsc_elastic_rules/rules/ml/ml_high_count_network_denies.toml +71 -1
  77. nldcsc_elastic_rules/rules/ml/ml_high_count_network_events.toml +53 -1
  78. nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_activity.toml +56 -1
  79. nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_port_activity.toml +40 -1
  80. nldcsc_elastic_rules/rules/ml/ml_low_count_events_for_a_host_name.toml +27 -1
  81. nldcsc_elastic_rules/rules/ml/ml_packetbeat_rare_server_domain.toml +63 -1
  82. nldcsc_elastic_rules/rules/ml/ml_rare_destination_country.toml +68 -1
  83. nldcsc_elastic_rules/rules/ml/ml_spike_in_traffic_to_a_country.toml +53 -1
  84. nldcsc_elastic_rules/rules/ml/ml_windows_anomalous_network_activity.toml +56 -1
  85. nldcsc_elastic_rules/rules/network/initial_access_react_server_components_rce_attempt.toml +123 -0
  86. nldcsc_elastic_rules/rules/promotions/external_alerts.toml +2 -2
  87. nldcsc_elastic_rules/rules/windows/command_and_control_common_webservices.toml +4 -3
  88. nldcsc_elastic_rules/rules/windows/credential_access_rare_webdav_destination.toml +3 -4
  89. nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_as_svchost.toml +11 -8
  90. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation.toml +25 -2
  91. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +2 -3
  92. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml +2 -3
  93. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +2 -3
  94. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml +2 -3
  95. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +2 -3
  96. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml +2 -3
  97. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml +2 -3
  98. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml +2 -3
  99. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +2 -3
  100. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml +2 -3
  101. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +2 -3
  102. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml +2 -3
  103. nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_filesystem.toml +13 -10
  104. nldcsc_elastic_rules/rules/windows/execution_posh_hacktool_functions.toml +3 -2
  105. nldcsc_elastic_rules/rules/windows/execution_suspicious_powershell_imgload.toml +7 -2
  106. nldcsc_elastic_rules/rules/windows/execution_windows_powershell_susp_args.toml +9 -2
  107. nldcsc_elastic_rules/rules/windows/impact_mod_critical_os_files.toml +16 -6
  108. nldcsc_elastic_rules/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml +7 -2
  109. nldcsc_elastic_rules/rules/windows/lateral_movement_scheduled_task_target.toml +2 -2
  110. nldcsc_elastic_rules/rules/windows/persistence_browser_extension_install.toml +19 -2
  111. nldcsc_elastic_rules/rules/windows/persistence_msi_installer_task_startup.toml +50 -13
  112. nldcsc_elastic_rules/rules/windows/persistence_via_application_shimming.toml +12 -2
  113. nldcsc_elastic_rules/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +24 -18
  114. nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +14 -2
  115. nldcsc_elastic_rules/rules/windows/privilege_escalation_via_ppid_spoofing.toml +3 -2
  116. {nldcsc_elastic_rules-0.0.8.dist-info → nldcsc_elastic_rules-0.0.16.dist-info}/METADATA +1 -1
  117. {nldcsc_elastic_rules-0.0.8.dist-info → nldcsc_elastic_rules-0.0.16.dist-info}/RECORD +119 -87
  118. nldcsc_elastic_rules/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +0 -105
  119. nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml +0 -135
  120. nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml +0 -155
  121. nldcsc_elastic_rules/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +0 -95
  122. {nldcsc_elastic_rules-0.0.8.dist-info → nldcsc_elastic_rules-0.0.16.dist-info}/WHEEL +0 -0
  123. {nldcsc_elastic_rules-0.0.8.dist-info → nldcsc_elastic_rules-0.0.16.dist-info}/top_level.txt +0 -0
nldcsc_elastic_rules/rules/cross-platform/persistence_web_server_potential_command_injection.toml CHANGED
@@ -1,8 +1,8 @@
1
1
  [metadata]
2
2
  creation_date = "2025/11/19"
3
- integration = ["nginx", "apache", "apache_tomcat", "iis", "network_traffic"]
3
+ integration = ["nginx", "apache", "apache_tomcat", "iis"]
4
4
  maturity = "production"
5
- updated_date = "2025/11/24"
5
+ updated_date = "2025/12/05"
6
6
 
7
7
  [rule]
8
8
  author = ["Elastic"]
@@ -13,7 +13,7 @@ applications to inject and execute arbitrary commands on the server, often using
13
13
  PHP, or shell commands. By monitoring for these indicators in web traffic, security teams can identify and respond to
14
14
  potential threats early.
15
15
  """
16
- from = "now-9m"
16
+ from = "now-11m"
17
17
  interval = "10m"
18
18
  language = "esql"
19
19
  license = "Elastic License v2"
@@ -54,14 +54,12 @@ rule_id = "f3ac6734-7e52-4a0d-90b7-6847bf4308f2"
54
54
  severity = "low"
55
55
  tags = [
56
56
  "Domain: Web",
57
- "Domain: Network",
58
57
  "Use Case: Threat Detection",
59
58
  "Tactic: Reconnaissance",
60
59
  "Tactic: Persistence",
61
60
  "Tactic: Execution",
62
61
  "Tactic: Credential Access",
63
62
  "Tactic: Command and Control",
64
- "Data Source: Network Packet Capture",
65
63
  "Data Source: Nginx",
66
64
  "Data Source: Apache",
67
65
  "Data Source: Apache Tomcat",
@@ -71,26 +69,24 @@ tags = [
71
69
  timestamp_override = "event.ingested"
72
70
  type = "esql"
73
71
  query = '''
74
- from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
72
+ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
75
73
  | where
76
- (url.original is not null or url.full is not null) and
77
74
  // Limit to 200 response code to reduce noise
78
75
  http.response.status_code == 200
79
76
 
80
- | eval Esql.url_lower = case(url.original is not null, url.original, url.full)
81
- | eval Esql.url_lower = to_lower(Esql.url_lower)
82
-
83
- | eval Esql.contains_interpreter = case(Esql.url_lower like "*python* -c*" or Esql.url_lower like "*perl* -e*" or Esql.url_lower like "*ruby* -e*" or Esql.url_lower like "*ruby* -rsocket*" or Esql.url_lower like "*lua* -e*" or Esql.url_lower like "*php* -r*" or Esql.url_lower like "*node* -e*", 1, 0)
84
- | eval Esql.contains_shell = case(Esql.url_lower like "*/bin/bash*" or Esql.url_lower like "*bash*-c*" or Esql.url_lower like "*/bin/sh*" or Esql.url_lower rlike "*sh.{1,2}-c*", 1, 0)
85
- | eval Esql.contains_nc = case(Esql.url_lower like "*netcat*" or Esql.url_lower like "*ncat*" or Esql.url_lower rlike """.*nc.{1,2}[0-9]{1,3}(\.[0-9]{1,3}){3}.{1,2}[0-9]{1,5}.*""" or Esql.url_lower like "*nc.openbsd*" or Esql.url_lower like "*nc.traditional*" or Esql.url_lower like "*socat*", 1, 0)
86
- | eval Esql.contains_devtcp = case(Esql.url_lower like "*/dev/tcp/*" or Esql.url_lower like "*/dev/udp/*", 1, 0)
87
- | eval Esql.contains_helpers = case((Esql.url_lower like "*/bin/*" or Esql.url_lower like "*/usr/bin/*") and (Esql.url_lower like "*mkfifo*" or Esql.url_lower like "*nohup*" or Esql.url_lower like "*setsid*" or Esql.url_lower like "*busybox*"), 1, 0)
88
- | eval Esql.contains_sus_cli = case(Esql.url_lower like "*import*pty*spawn*" or Esql.url_lower like "*import*subprocess*call*" or Esql.url_lower like "*tcpsocket.new*" or Esql.url_lower like "*tcpsocket.open*" or Esql.url_lower like "*io.popen*" or Esql.url_lower like "*os.execute*" or Esql.url_lower like "*fsockopen*", 1, 0)
89
- | eval Esql.contains_privileges = case(Esql.url_lower like "*chmod*+x", 1, 0)
90
- | eval Esql.contains_downloader = case(Esql.url_lower like "*curl *" or Esql.url_lower like "*wget *" , 1, 0)
91
- | eval Esql.contains_file_read_keywords = case(Esql.url_lower like "*/etc/shadow*" or Esql.url_lower like "*/etc/passwd*" or Esql.url_lower like "*/root/.ssh/*" or Esql.url_lower like "*/home/*/.ssh/*" or Esql.url_lower like "*~/.ssh/*" or Esql.url_lower like "*/proc/self/environ*", 1, 0)
92
- | eval Esql.contains_base64_cmd = case(Esql.url_lower like "*base64*-d*" or Esql.url_lower like "*echo*|*base64*", 1, 0)
93
- | eval Esql.contains_suspicious_path = case(Esql.url_lower like "*/tmp/*" or Esql.url_lower like "*/var/tmp/*" or Esql.url_lower like "*/dev/shm/*" or Esql.url_lower like "*/root/*" or Esql.url_lower like "*/home/*/*" or Esql.url_lower like "*/var/www/*" or Esql.url_lower like "*/etc/cron.*/*", 1, 0)
77
+ | eval Esql.url_original_to_lower = to_lower(url.original)
78
+
79
+ | eval Esql.contains_interpreter = case(Esql.url_original_to_lower like "*python* -c*" or Esql.url_original_to_lower like "*perl* -e*" or Esql.url_original_to_lower like "*ruby* -e*" or Esql.url_original_to_lower like "*ruby* -rsocket*" or Esql.url_original_to_lower like "*lua* -e*" or Esql.url_original_to_lower like "*php* -r*" or Esql.url_original_to_lower like "*node* -e*", 1, 0)
80
+ | eval Esql.contains_shell = case(Esql.url_original_to_lower like "*/bin/bash*" or Esql.url_original_to_lower like "*bash*-c*" or Esql.url_original_to_lower like "*/bin/sh*" or Esql.url_original_to_lower rlike "*sh.{1,2}-c*", 1, 0)
81
+ | eval Esql.contains_nc = case(Esql.url_original_to_lower like "*netcat*" or Esql.url_original_to_lower like "*ncat*" or Esql.url_original_to_lower rlike """.*nc.{1,2}[0-9]{1,3}(\.[0-9]{1,3}){3}.{1,2}[0-9]{1,5}.*""" or Esql.url_original_to_lower like "*nc.openbsd*" or Esql.url_original_to_lower like "*nc.traditional*" or Esql.url_original_to_lower like "*socat*", 1, 0)
82
+ | eval Esql.contains_devtcp = case(Esql.url_original_to_lower like "*/dev/tcp/*" or Esql.url_original_to_lower like "*/dev/udp/*", 1, 0)
83
+ | eval Esql.contains_helpers = case((Esql.url_original_to_lower like "*/bin/*" or Esql.url_original_to_lower like "*/usr/bin/*") and (Esql.url_original_to_lower like "*mkfifo*" or Esql.url_original_to_lower like "*nohup*" or Esql.url_original_to_lower like "*setsid*" or Esql.url_original_to_lower like "*busybox*"), 1, 0)
84
+ | eval Esql.contains_sus_cli = case(Esql.url_original_to_lower like "*import*pty*spawn*" or Esql.url_original_to_lower like "*import*subprocess*call*" or Esql.url_original_to_lower like "*tcpsocket.new*" or Esql.url_original_to_lower like "*tcpsocket.open*" or Esql.url_original_to_lower like "*io.popen*" or Esql.url_original_to_lower like "*os.execute*" or Esql.url_original_to_lower like "*fsockopen*", 1, 0)
85
+ | eval Esql.contains_privileges = case(Esql.url_original_to_lower like "*chmod*+x", 1, 0)
86
+ | eval Esql.contains_downloader = case(Esql.url_original_to_lower like "*curl *" or Esql.url_original_to_lower like "*wget *" , 1, 0)
87
+ | eval Esql.contains_file_read_keywords = case(Esql.url_original_to_lower like "*/etc/shadow*" or Esql.url_original_to_lower like "*/etc/passwd*" or Esql.url_original_to_lower like "*/root/.ssh/*" or Esql.url_original_to_lower like "*/home/*/.ssh/*" or Esql.url_original_to_lower like "*~/.ssh/*" or Esql.url_original_to_lower like "*/proc/self/environ*", 1, 0)
88
+ | eval Esql.contains_base64_cmd = case(Esql.url_original_to_lower like "*base64*-d*" or Esql.url_original_to_lower like "*echo*|*base64*", 1, 0)
89
+ | eval Esql.contains_suspicious_path = case(Esql.url_original_to_lower like "*/tmp/*" or Esql.url_original_to_lower like "*/var/tmp/*" or Esql.url_original_to_lower like "*/dev/shm/*" or Esql.url_original_to_lower like "*/root/*" or Esql.url_original_to_lower like "*/home/*/*" or Esql.url_original_to_lower like "*/var/www/*" or Esql.url_original_to_lower like "*/etc/cron.*/*", 1, 0)
94
90
 
95
91
  | eval Esql.any_payload_keyword = case(
96
92
  Esql.contains_interpreter == 1 or Esql.contains_shell == 1 or Esql.contains_nc == 1 or Esql.contains_devtcp == 1 or
@@ -99,7 +95,7 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
99
95
 
100
96
  | keep
101
97
  @timestamp,
102
- Esql.url_lower,
98
+ Esql.url_original_to_lower,
103
99
  Esql.any_payload_keyword,
104
100
  Esql.contains_interpreter,
105
101
  Esql.contains_shell,
@@ -119,20 +115,22 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
119
115
  http.response.status_code,
120
116
  user_agent.original,
121
117
  host.name,
122
- event.dataset
118
+ event.dataset,
119
+ data_stream.namespace
123
120
 
124
121
  | stats
125
122
  Esql.event_count = count(),
126
- Esql.url_path_count_distinct = count_distinct(Esql.url_lower),
123
+ Esql.url_path_count_distinct = count_distinct(Esql.url_original_to_lower),
127
124
 
128
125
  // General fields
129
126
 
130
127
  Esql.host_name_values = values(host.name),
131
128
  Esql.agent_id_values = values(agent.id),
132
- Esql.url_path_values = values(Esql.url_lower),
129
+ Esql.url_path_values = values(Esql.url_original_to_lower),
133
130
  Esql.http.response.status_code_values = values(http.response.status_code),
134
131
  Esql.user_agent_original_values = values(user_agent.original),
135
132
  Esql.event_dataset_values = values(event.dataset),
133
+ Esql.data_stream_namespace_values = values(data_stream.namespace),
136
134
 
137
135
  // Rule Specific fields
138
136
  Esql.any_payload_keyword_max = max(Esql.any_payload_keyword),
nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml CHANGED
@@ -1,8 +1,8 @@
1
1
  [metadata]
2
2
  creation_date = "2025/11/19"
3
- integration = ["network_traffic", "nginx", "apache", "apache_tomcat", "iis"]
3
+ integration = ["nginx", "apache", "apache_tomcat", "iis"]
4
4
  maturity = "production"
5
- updated_date = "2025/11/24"
5
+ updated_date = "2025/12/05"
6
6
 
7
7
  [rule]
8
8
  author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects potential web server discovery or fuzzing activity by identify
11
11
  in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker
12
12
  is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks.
13
13
  """
14
- from = "now-9m"
14
+ from = "now-11m"
15
15
  interval = "10m"
16
16
  language = "esql"
17
17
  license = "Elastic License v2"
@@ -52,10 +52,8 @@ rule_id = "8383a8d0-008b-47a5-94e5-496629dc3590"
52
52
  severity = "low"
53
53
  tags = [
54
54
  "Domain: Web",
55
- "Domain: Network",
56
55
  "Use Case: Threat Detection",
57
56
  "Tactic: Reconnaissance",
58
- "Data Source: Network Packet Capture",
59
57
  "Data Source: Nginx",
60
58
  "Data Source: Apache",
61
59
  "Data Source: Apache Tomcat",
@@ -65,14 +63,12 @@ tags = [
65
63
  timestamp_override = "event.ingested"
66
64
  type = "esql"
67
65
  query = '''
68
- from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
66
+ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
69
67
  | where
70
- (url.original is not null or url.full is not null) and
71
68
  http.request.method == "GET" and
72
69
  http.response.status_code in (404, 403)
73
70
 
74
- | eval Esql.url_text = case(url.original is not null, url.original, url.full)
75
- | eval Esql.url_lower = to_lower(Esql.url_text)
71
+ | eval Esql.url_original_to_lower = to_lower(url.original)
76
72
 
77
73
  | keep
78
74
  @timestamp,
@@ -82,19 +78,22 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
82
78
  source.ip,
83
79
  agent.id,
84
80
  host.name,
85
- Esql.url_lower
81
+ Esql.url_original_to_lower,
82
+ data_stream.namespace
83
+
86
84
  | stats
87
85
  Esql.event_count = count(),
88
- Esql.url_lower_count_distinct = count_distinct(Esql.url_lower),
86
+ Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
89
87
  Esql.host_name_values = values(host.name),
90
88
  Esql.agent_id_values = values(agent.id),
91
89
  Esql.http_request_method_values = values(http.request.method),
92
90
  Esql.http_response_status_code_values = values(http.response.status_code),
93
- Esql.url_path_values = values(Esql.url_lower),
94
- Esql.event_dataset_values = values(event.dataset)
91
+ Esql.url_original_values = values(Esql.url_original_to_lower),
92
+ Esql.event_dataset_values = values(event.dataset),
93
+ Esql.data_stream_namespace_values = values(data_stream.namespace)
95
94
  by source.ip
96
95
  | where
97
- Esql.event_count > 500 and Esql.url_lower_count_distinct > 250
96
+ Esql.event_count > 500 and Esql.url_original_count_distinct > 250
98
97
  '''
99
98
 
100
99
  [[rule.threat]]
nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml CHANGED
@@ -2,7 +2,7 @@
2
2
  creation_date = "2025/11/19"
3
3
  integration = ["nginx", "apache", "apache_tomcat", "iis"]
4
4
  maturity = "production"
5
- updated_date = "2025/11/25"
5
+ updated_date = "2025/12/05"
6
6
 
7
7
  [rule]
8
8
  author = ["Elastic"]
@@ -12,7 +12,7 @@ as vulnerability scanning or fuzzing attempts by adversaries. These activities o
12
12
  responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side
13
13
  issues that could be exploited.
14
14
  """
15
- from = "now-9m"
15
+ from = "now-11m"
16
16
  interval = "10m"
17
17
  language = "esql"
18
18
  license = "Elastic License v2"
@@ -71,16 +71,19 @@ from logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, logs-i
71
71
  event.dataset,
72
72
  source.ip,
73
73
  agent.id,
74
- host.name
74
+ host.name,
75
+ data_stream.namespace
76
+
75
77
  | where source.ip is not null
76
78
  | stats
77
79
  Esql.event_count = count(),
78
80
  Esql.host_name_values = values(host.name),
79
81
  Esql.agent_id_values = values(agent.id),
80
- Esql.event_dataset_values = values(event.dataset)
82
+ Esql.event_dataset_values = values(event.dataset),
83
+ Esql.data_stream_namespace_values = values(data_stream.namespace)
81
84
  by source.ip, agent.id
82
85
  | where
83
- Esql.event_count > 25
86
+ Esql.event_count > 50
84
87
  '''
85
88
 
86
89
  [[rule.threat]]
nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml CHANGED
@@ -1,8 +1,8 @@
1
1
  [metadata]
2
2
  creation_date = "2025/11/19"
3
- integration = ["network_traffic", "nginx", "apache", "apache_tomcat", "iis"]
3
+ integration = ["nginx", "apache", "apache_tomcat", "iis"]
4
4
  maturity = "production"
5
- updated_date = "2025/11/24"
5
+ updated_date = "2025/12/05"
6
6
 
7
7
  [rule]
8
8
  author = ["Elastic"]
@@ -12,7 +12,7 @@ reconnaissance activities such as vulnerability scanning or fuzzing attempts by
12
12
  generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes
13
13
  may potentially indicate server-side issues that could be exploited.
14
14
  """
15
- from = "now-9m"
15
+ from = "now-11m"
16
16
  interval = "10m"
17
17
  language = "esql"
18
18
  license = "Elastic License v2"
@@ -53,10 +53,8 @@ rule_id = "6fa3abe3-9cd8-41de-951b-51ed8f710523"
53
53
  severity = "low"
54
54
  tags = [
55
55
  "Domain: Web",
56
- "Domain: Network",
57
56
  "Use Case: Threat Detection",
58
57
  "Tactic: Reconnaissance",
59
- "Data Source: Network Packet Capture",
60
58
  "Data Source: Nginx",
61
59
  "Data Source: Apache",
62
60
  "Data Source: Apache Tomcat",
@@ -66,9 +64,8 @@ tags = [
66
64
  timestamp_override = "event.ingested"
67
65
  type = "esql"
68
66
  query = '''
69
- from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
67
+ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
70
68
  | where
71
- (url.original is not null or url.full is not null) and
72
69
  http.request.method == "GET" and
73
70
  http.response.status_code in (
74
71
  500, // Internal Server Error
@@ -76,8 +73,8 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
76
73
  503, // Service Unavailable
77
74
  504 // Gateway Timeout
78
75
  )
79
- | eval Esql.url_text = case(url.original is not null, url.original, url.full)
80
- | eval Esql.url_lower = to_lower(Esql.url_text)
76
+
77
+ | eval Esql.url_original_to_lower = to_lower(url.original)
81
78
 
82
79
  | keep
83
80
  @timestamp,
@@ -87,7 +84,9 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
87
84
  source.ip,
88
85
  agent.id,
89
86
  host.name,
90
- Esql.url_lower
87
+ Esql.url_original_to_lower,
88
+ data_stream.namespace
89
+
91
90
  | stats
92
91
  Esql.event_count = count(),
93
92
  Esql.http_response_status_code_count = count(http.response.status_code),
@@ -96,8 +95,9 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
96
95
  Esql.agent_id_values = values(agent.id),
97
96
  Esql.http_request_method_values = values(http.request.method),
98
97
  Esql.http_response_status_code_values = values(http.response.status_code),
99
- Esql.url_path_values = values(Esql.url_lower),
100
- Esql.event_dataset_values = values(event.dataset)
98
+ Esql.url_path_values = values(Esql.url_original_to_lower),
99
+ Esql.event_dataset_values = values(event.dataset),
100
+ Esql.data_stream_namespace_values = values(data_stream.namespace)
101
101
  by source.ip, agent.id
102
102
  | where
103
103
  Esql.http_response_status_code_count > 10
nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml CHANGED
@@ -1,8 +1,8 @@
1
1
  [metadata]
2
2
  creation_date = "2025/11/19"
3
- integration = ["nginx", "apache", "apache_tomcat", "iis", "network_traffic"]
3
+ integration = ["nginx", "apache", "apache_tomcat", "iis"]
4
4
  maturity = "production"
5
- updated_date = "2025/11/24"
5
+ updated_date = "2025/12/05"
6
6
 
7
7
  [rule]
8
8
  author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects unusual spikes in web server requests with uncommon or suspici
11
11
  indicate reconnaissance attempts by attackers trying to identify vulnerabilities in web applications or servers. These
12
12
  user-agents are often associated with automated tools used for scanning, vulnerability assessment, or brute-force attacks.
13
13
  """
14
- from = "now-9m"
14
+ from = "now-11m"
15
15
  interval = "10m"
16
16
  language = "esql"
17
17
  license = "Elastic License v2"
@@ -52,11 +52,9 @@ rule_id = "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35"
52
52
  severity = "low"
53
53
  tags = [
54
54
  "Domain: Web",
55
- "Domain: Network",
56
55
  "Use Case: Threat Detection",
57
56
  "Tactic: Reconnaissance",
58
57
  "Tactic: Credential Access",
59
- "Data Source: Network Packet Capture",
60
58
  "Data Source: Nginx",
61
59
  "Data Source: Apache",
62
60
  "Data Source: Apache Tomcat",
@@ -66,40 +64,34 @@ tags = [
66
64
  timestamp_override = "event.ingested"
67
65
  type = "esql"
68
66
  query = '''
69
- from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
67
+ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
70
68
 
71
- | eval Esql.user_agent_original_lower = to_lower(user_agent.original)
69
+ | eval Esql.user_agent_original_to_lower = to_lower(user_agent.original), Esql.url_original_to_lower = to_lower(url.original)
72
70
 
73
71
  | where
74
- (url.original is not null or url.full is not null) and
75
- (
76
- Esql.user_agent_original_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/74.0.3729.169 safari/537.36" or // Nikto
77
- Esql.user_agent_original_lower like "nikto*" or // Nikto
78
- Esql.user_agent_original_lower like "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)" or // Nessus Vulnerability Scanner
79
- Esql.user_agent_original_lower like "*nessus*" or // Nessus Vulnerability Scanner
80
- Esql.user_agent_original_lower like "sqlmap/*" or // SQLMap
81
- Esql.user_agent_original_lower like "wpscan*" or // WPScan
82
- Esql.user_agent_original_lower like "feroxbuster/*" or // Feroxbuster
83
- Esql.user_agent_original_lower like "masscan*" or // Masscan & masscan-ng
84
- Esql.user_agent_original_lower like "fuzz*" or // Ffuf
85
- Esql.user_agent_original_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/user_agent.original like~ 87.0.4280.88 safari/537.36" or // Dirsearch
86
- Esql.user_agent_original_lower like "mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)" or // Dirb
87
- Esql.user_agent_original_lower like "dirbuster*" or // Dirbuster
88
- Esql.user_agent_original_lower like "gobuster/*" or // Gobuster
89
- Esql.user_agent_original_lower like "*dirsearch*" or // dirsearch
90
- Esql.user_agent_original_lower like "*nmap*" or // Nmap Scripting Engine
91
- Esql.user_agent_original_lower like "*hydra*" or // Hydra Brute Forcer
92
- Esql.user_agent_original_lower like "*w3af*" or // w3af Web Application Attack and Audit Framework
93
- Esql.user_agent_original_lower like "*arachni*" or // Arachni Web Application Security Scanner
94
- Esql.user_agent_original_lower like "*skipfish*" or // Skipfish Web Application Security Scanner
95
- Esql.user_agent_original_lower like "*openvas*" or // OpenVAS Vulnerability Scanner
96
- Esql.user_agent_original_lower like "*acunetix*" or // Acunetix Vulnerability Scanner
97
- Esql.user_agent_original_lower like "*zap*" or // OWASP ZAP
98
- Esql.user_agent_original_lower like "*burp*" // Burp Suite
99
- )
100
-
101
- | eval Esql.url_text = case(url.original is not null, url.original, url.full)
102
- | eval Esql.url_lower = to_lower(Esql.url_text)
72
+ Esql.user_agent_original_to_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/74.0.3729.169 safari/537.36" or // Nikto
73
+ Esql.user_agent_original_to_lower like "nikto*" or // Nikto
74
+ Esql.user_agent_original_to_lower like "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)" or // Nessus Vulnerability Scanner
75
+ Esql.user_agent_original_to_lower like "*nessus*" or // Nessus Vulnerability Scanner
76
+ Esql.user_agent_original_to_lower like "sqlmap/*" or // SQLMap
77
+ Esql.user_agent_original_to_lower like "wpscan*" or // WPScan
78
+ Esql.user_agent_original_to_lower like "feroxbuster/*" or // Feroxbuster
79
+ Esql.user_agent_original_to_lower like "masscan*" or // Masscan & masscan-ng
80
+ Esql.user_agent_original_to_lower like "fuzz*" or // Ffuf
81
+ Esql.user_agent_original_to_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/user_agent.original like~ 87.0.4280.88 safari/537.36" or // Dirsearch
82
+ Esql.user_agent_original_to_lower like "mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)" or // Dirb
83
+ Esql.user_agent_original_to_lower like "dirbuster*" or // Dirbuster
84
+ Esql.user_agent_original_to_lower like "gobuster/*" or // Gobuster
85
+ Esql.user_agent_original_to_lower like "*dirsearch*" or // dirsearch
86
+ Esql.user_agent_original_to_lower like "*nmap*" or // Nmap Scripting Engine
87
+ Esql.user_agent_original_to_lower like "*hydra*" or // Hydra Brute Forcer
88
+ Esql.user_agent_original_to_lower like "*w3af*" or // w3af Web Application Attack and Audit Framework
89
+ Esql.user_agent_original_to_lower like "*arachni*" or // Arachni Web Application Security Scanner
90
+ Esql.user_agent_original_to_lower like "*skipfish*" or // Skipfish Web Application Security Scanner
91
+ Esql.user_agent_original_to_lower like "*openvas*" or // OpenVAS Vulnerability Scanner
92
+ Esql.user_agent_original_to_lower like "*acunetix*" or // Acunetix Vulnerability Scanner
93
+ Esql.user_agent_original_to_lower like "*zap*" or // OWASP ZAP
94
+ Esql.user_agent_original_to_lower like "*burp*" // Burp Suite
103
95
 
104
96
  | keep
105
97
  @timestamp,
@@ -108,19 +100,21 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
108
100
  source.ip,
109
101
  agent.id,
110
102
  host.name,
111
- Esql.url_lower,
112
- Esql.user_agent_original_lower
103
+ Esql.url_original_to_lower,
104
+ Esql.user_agent_original_to_lower,
105
+ data_stream.namespace
113
106
  | stats
114
107
  Esql.event_count = count(),
115
- Esql.url_path_count_distinct = count_distinct(Esql.url_lower),
108
+ Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
116
109
  Esql.host_name_values = values(host.name),
117
110
  Esql.agent_id_values = values(agent.id),
118
- Esql.url_path_values = values(Esql.url_lower),
119
- Esql.user_agent_original_values = values(Esql.user_agent_original_lower),
120
- Esql.event_dataset_values = values(event.dataset)
111
+ Esql.url_original_values = values(Esql.url_original_to_lower),
112
+ Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower),
113
+ Esql.event_dataset_values = values(event.dataset),
114
+ Esql.data_stream_namespace_values = values(data_stream.namespace)
121
115
  by source.ip, agent.id
122
116
  | where
123
- Esql.event_count > 50 and Esql.url_path_count_distinct > 10
117
+ Esql.event_count > 50 and Esql.url_original_count_distinct > 10
124
118
  '''
125
119
 
126
120
  [[rule.threat]]