[Rule Tuning] ESQL Query Field Dynamic Field Standardization #4912

terrancedejesus · 2025-07-16T17:22:53Z

Pull Request

Issue link(s):

Summary - What I changed

Adjusts all ESQL queries in detection rules to standard field names based on previously established guidelines. Please see related issue and other related issues for more details.

How To Test

Almost all queries have been tested in the TRADE serverless stack to confirm logic was not adjusted unintentionally. It is recommended that anyone reviewing - if a query was written by them to test it on their own dataset to ensure logic has not changed.

Checklist

Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
Added the meta:rapid-merge label if planning to merge within 24 hours
Secret and sensitive material has been managed correctly
Automated testing was updated or added to match the most common scenarios
Documentation and comments were added for features that require explanation

Contributor checklist

Have you signed the contributor license agreement?
Have you followed the contributor guidelines?

…gle User Over a Session

…ithin a Single Blocked Request

…esponse Sizes

…le User

… a Single User

…rties

tradebot-elastic · 2025-07-24T18:50:09Z

⛔️ Test failed

Results

❌ Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Entra ID Session Reuse with Suspicious Graph Access (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Access Token Used from Multiple Addresses (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual High Denied Sensitive Information Policy Blocks Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 OneDrive Excessive File Downloads with OAuth Token (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS S3 Static Site JavaScript File Uploaded (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Service Quotas Multi-Region GetServiceQuota Requests (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Signin Single Factor Console Login with Federated User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Number of Egress Network Connections from Unusual Executable (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Number of Okta Device Token Cookies Generated for Authentication (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual High Denied Topic Blocks Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Microsoft 365 User Account Brute Force (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Widespread Malware Infection Across Multiple Hosts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Account Discovery Command via SYSTEM Account (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Entra ID Exccessive Account Lockouts Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Okta User Sessions Started from Different Geolocations (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual High Word Policy Blocks Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Brute Force via Entra ID Sign-Ins (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Microsoft 365 UserLoggedIn via OAuth Code (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Microsoft OAuth Flow via Auth Broker to DRS (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 Multi-Region DescribeInstances API Calls (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Entra MFA TOTP Brute Force Attempts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Azure OpenAI Model Theft (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 EBS Snapshot Shared or Made Public (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual High Confidence Content Filter Blocks Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS S3 Bucket Enumeration or Brute Force (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Invalid Escape Sequences (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Rare Connection to WebDAV Target (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM User Created Access Keys For Another User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Port Scanning Activity from Compromised Host (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 EBS Snapshot Access Removed (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Bedrock Detected Multiple Validation Exception Errors by a Single User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Discovery API Calls via CLI from a Single Resource (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Malware-Driven SSH Brute Force Attempt (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential AWS S3 Bucket Ransomware Note Uploaded (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Character Array Reconstruction (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Subnet Scanning Activity from Compromised Host (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Command Execution from Web Server Parent (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual File Transfer Utility Launched (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Okta User Authentication Events with Client Address (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Okta User Authentication Events with Same Device Token Hash (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Process Spawned from Web Server Parent (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM AdministratorAccess Policy Attached to User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ PowerShell Obfuscation via Negative Index String Reversal (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Dynamic IEX Reconstruction via Method String Access (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS S3 Object Encryption Using External KMS Key (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Denial of Azure OpenAI ML Service (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Dynamic IEX Reconstruction via Environment Variables (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Abuse of Resources by High Token Count and Large Response Sizes (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS STS Role Chaining (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM Login Profile Added for Root (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Excessive Secret or Key Retrieval from Azure Key Vault (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Base64 Encoding/Decoding Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Device Token Hashes for Single Okta Session (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Entra ID Sign-In Brute Force Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM AdministratorAccess Policy Attached to Role (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Microsoft 365 User Account Lockouts in Short Time Window (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM AdministratorAccess Policy Attached to Group (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via String Reordering (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Azure or Mail Sign-in from a Suspicious Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via String Concatenation (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Malicious PowerShell Based on Alert Correlation (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via High Numeric Character Proportion (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure OpenAI Insecure Output Handling (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta

tradebot-elastic · 2025-07-25T14:36:37Z

⛔️ Test failed

Results

❌ Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Entra ID Session Reuse with Suspicious Graph Access (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Access Token Used from Multiple Addresses (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual High Denied Sensitive Information Policy Blocks Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 OneDrive Excessive File Downloads with OAuth Token (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS S3 Static Site JavaScript File Uploaded (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Service Quotas Multi-Region GetServiceQuota Requests (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Signin Single Factor Console Login with Federated User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Number of Egress Network Connections from Unusual Executable (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ High Number of Okta Device Token Cookies Generated for Authentication (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual High Denied Topic Blocks Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Microsoft 365 User Account Brute Force (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Widespread Malware Infection Across Multiple Hosts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Account Discovery Command via SYSTEM Account (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Entra ID Exccessive Account Lockouts Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Okta User Sessions Started from Different Geolocations (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual High Word Policy Blocks Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Brute Force via Entra ID Sign-Ins (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Microsoft 365 UserLoggedIn via OAuth Code (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Suspicious Microsoft OAuth Flow via Auth Broker to DRS (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 Multi-Region DescribeInstances API Calls (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Entra MFA TOTP Brute Force Attempts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Azure OpenAI Model Theft (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 EBS Snapshot Shared or Made Public (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual High Confidence Content Filter Blocks Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS S3 Bucket Enumeration or Brute Force (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Invalid Escape Sequences (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Rare Connection to WebDAV Target (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM User Created Access Keys For Another User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Port Scanning Activity from Compromised Host (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS EC2 EBS Snapshot Access Removed (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Bedrock Detected Multiple Validation Exception Errors by a Single User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Discovery API Calls via CLI from a Single Resource (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Malware-Driven SSH Brute Force Attempt (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential AWS S3 Bucket Ransomware Note Uploaded (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Character Array Reconstruction (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Subnet Scanning Activity from Compromised Host (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Command Execution from Web Server Parent (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual File Transfer Utility Launched (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Okta User Authentication Events with Client Address (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Okta User Authentication Events with Same Device Token Hash (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Process Spawned from Web Server Parent (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM AdministratorAccess Policy Attached to User (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ PowerShell Obfuscation via Negative Index String Reversal (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Dynamic IEX Reconstruction via Method String Access (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS S3 Object Encryption Using External KMS Key (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Denial of Azure OpenAI ML Service (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Dynamic IEX Reconstruction via Environment Variables (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Abuse of Resources by High Token Count and Large Response Sizes (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS STS Role Chaining (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM Login Profile Added for Root (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Excessive Secret or Key Retrieval from Azure Key Vault (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Unusual Base64 Encoding/Decoding Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Device Token Hashes for Single Okta Session (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Entra ID Sign-In Brute Force Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM AdministratorAccess Policy Attached to Role (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Microsoft 365 User Account Lockouts in Short Time Window (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS IAM AdministratorAccess Policy Attached to Group (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via String Reordering (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Azure or Mail Sign-in from a Suspicious Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via Reverse Keywords (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via String Concatenation (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential Malicious PowerShell Based on Alert Correlation (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Potential PowerShell Obfuscation via High Numeric Character Proportion (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure OpenAI Insecure Output Handling (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta

Mikaayenson · 2025-07-25T19:23:28Z

rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml

-| sort violations desc
+
+// Keep relevant ECS + model fields
+| keep


Any reason we're mixing case for ES|QL functions? FROM vs keep vs stats vs COUNT

Not only the processing functions or commands, but logical operators can be lowercase or uppercase. There is variation amongst ESQL rules based on personal preference of the rule author. Since there are no inherit downsides, best practice against or for - I'd suggest leaving these as-is.

Im just not sure if it's best. It's really a nit, but seeing them mixed when we're already touching all the rules appears odd.

Mikaayenson · 2025-07-25T19:26:27Z

rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml

+// Aggregate all violation types per user
+| stats
+    Esql.ml_policy_blocked_violation_total_count = SUM(Esql.ml_policy_blocked_violation_count)
+  by


nit: I think single line is easier to read, but im assuming its just really long now.

Mikaayenson

lgtm. I think we have an opportunity to standardize esql function case.

otherwise great work!

JDKurma

LGTM!

Aegrah

Other than my comments, it looks g2g for Linux.

Aegrah · 2025-07-29T07:35:35Z

rules/linux/defense_evasion_base64_decoding_activity.toml

+            process.args IN ("-d", "-base64", "-a")
+        ) OR
+        (
+            process.name RLIKE "^python.*" AND (


Why was this modified to RLIKE?

Aegrah · 2025-07-29T07:35:51Z

rules/linux/defense_evasion_base64_decoding_activity.toml

+            )
+        ) OR
+        (
+            process.name RLIKE "^perl.*" AND


Aegrah · 2025-07-29T07:35:57Z

rules/linux/defense_evasion_base64_decoding_activity.toml

+            process.command_line LIKE "*decode_base64*"
+        ) OR
+        (
+            process.name RLIKE "^ruby.*" AND


Aegrah · 2025-07-29T07:37:44Z

rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml

+    host.name.values = VALUES(host.name),
+    agent.id.values = VALUES(agent.id)


These two don't need an Esql. prefix?

Aegrah · 2025-07-29T07:37:58Z

rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml

+    host.name.values = VALUES(host.name),
+    agent.id.values = VALUES(agent.id)


Aegrah · 2025-07-29T07:38:46Z

rules/linux/impact_potential_bruteforce_malware_infection.toml

+    host.name.values = VALUES(host.name),
+    agent.id.values = VALUES(agent.id)


Aegrah · 2025-07-29T07:39:15Z

rules/linux/persistence_web_server_sus_child_spawned.toml

+    host.name.values = VALUES(host.name),
+    agent.id.values = VALUES(agent.id)


Aegrah · 2025-07-29T07:39:39Z

rules/linux/persistence_web_server_sus_command_execution.toml

+    host.name.values = VALUES(host.name),
+    agent.id.values = VALUES(agent.id)


terrancedejesus added 30 commits July 16, 2025 08:55

adjusted Potential Widespread Malware Infection Across Multiple Hosts

9e9214f

adjusted Microsoft Azure or Mail Sign-in from a Suspicious Source

7b5855a

adjusted AWS EC2 Multi-Region DescribeInstances API Calls

7c66bb5

adjusted AWS Discovery API Calls via CLI from a Single Resource

9ae8568

adjusted AWS Service Quotas Multi-Region Requests

868ce2e

adjusted AWS EC2 EBS Snapshot Shared or Made Public

c321f3d

adjusted AWS S3 Bucket Enumeration or Brute Force

24c5b12

adjusted AWS EC2 EBS Snapshot Access Removed

a86052f

adjusted Potential AWS S3 Bucket Ransomware Note Uploaded

32e8664

adjusted AWS S3 Object Encryption Using External KMS Key

019e153

adjusted AWS S3 Static Site JavaScript File Uploaded

2244489

adjusted AWS Access Token Used from Multiple Addresses

e175310

adjusted AWS Signin Single Factor Console Login with Federated User

af2198d

adjusted AWS IAM AdministratorAccess Policy Attached to Group

fcc8d02

adjusted AWS IAM AdministratorAccess Policy Attached to Role

4eeedb0

adjusted AWS IAM AdministratorAccess Policy Attached to User

0c817ff

adjusted AWS Bedrock Invocations without Guardrails Detected by a Sin…

7c7afcc

…gle User Over a Session

adjusted AWS Bedrock Guardrails Detected Multiple Violations by a Sin…

229e206

…gle User Over a Session

adjusted AWS Bedrock Guardrails Detected Multiple Policy Violations W…

0642d25

…ithin a Single Blocked Request

adjusted Unusual High Confidence Content Filter Blocks Detected

3566242

adjusted Potential Abuse of Resources by High Token Count and Large R…

ba58831

…esponse Sizes

AWS Bedrock Detected Multiple Attempts to use Denied Models by a Sing…

a7f84d0

…le User

Unusual High Denied Sensitive Information Policy Blocks Detected

bd84ad4

adjusted Unusual High Denied Topic Blocks Detected

0e505a7

adjusted AWS Bedrock Detected Multiple Validation Exception Errors by…

020b230

… a Single User

adjusted Unusual High Word Policy Blocks Detected

1686dc8

adjusted Microsoft Entra ID Concurrent Sign-Ins with Suspicious Prope…

17b5894

…rties

adjusted Azure Entra MFA TOTP Brute Force Attempts

e5c02e5

adjusted Microsoft Entra ID Sign-In Brute Force Activity

cd8d6df

adjusted Microsoft Entra ID Exccessive Account Lockouts Detected

d99dd39

terrancedejesus requested review from Mikaayenson, DefSecSentinel, imays11, Aegrah, shashank-elastic and eric-forte-elastic July 24, 2025 16:04

github-actions bot deployed to docs-preview July 24, 2025 16:04 View deployment

terrancedejesus requested a review from w0rk3r July 24, 2025 16:04

Mikaayenson requested a review from JDKurma July 24, 2025 16:07

updated dates

3f44a67

github-actions bot deployed to docs-preview July 24, 2025 18:50 View deployment

updated dates

68c672d

github-actions bot deployed to docs-preview July 25, 2025 14:36 View deployment

Mikaayenson reviewed Jul 25, 2025

View reviewed changes

Mikaayenson approved these changes Jul 25, 2025

View reviewed changes

JDKurma approved these changes Jul 28, 2025

View reviewed changes

Aegrah approved these changes Jul 29, 2025

View reviewed changes

		host.name.values = VALUES(host.name),
		agent.id.values = VALUES(agent.id)

[Rule Tuning] ESQL Query Field Dynamic Field Standardization #4912

Are you sure you want to change the base?

[Rule Tuning] ESQL Query Field Dynamic Field Standardization #4912

Conversation

terrancedejesus commented Jul 16, 2025

Pull Request

Summary - What I changed

How To Test

Checklist

Contributor checklist

Uh oh!

tradebot-elastic commented Jul 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tradebot-elastic commented Jul 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Mikaayenson Jul 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

terrancedejesus Jul 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Mikaayenson left a comment

Choose a reason for hiding this comment

Uh oh!

JDKurma left a comment

Choose a reason for hiding this comment

Uh oh!

Aegrah left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

tradebot-elastic commented Jul 24, 2025 •

edited

Loading

tradebot-elastic commented Jul 25, 2025 •

edited

Loading

Mikaayenson Jul 25, 2025 •

edited

Loading

terrancedejesus Jul 28, 2025 •

edited

Loading