Skip to content

Commit 45cc98f

Browse files
[Security Rules] Update security rules package to v8.19.20-beta.2 (#18282)
1 parent 988aa07 commit 45cc98f

9 files changed

Lines changed: 409 additions & 15 deletions

packages/security_detection_engine/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,10 @@
11
# newer versions go on top
22
# NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production
3+
- version: 8.19.20-beta.2
4+
changes:
5+
- description: Release security rules update
6+
type: enhancement
7+
link: https://github.com/elastic/integrations/pull/18282
38
- version: 8.19.20-beta.1
49
changes:
510
- description: Release security rules update
Lines changed: 136 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,136 @@
1+
{
2+
"attributes": {
3+
"author": [
4+
"Elastic"
5+
],
6+
"description": "Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect. This behavior may indicate abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.",
7+
"from": "now-9m",
8+
"index": [
9+
"endgame-*",
10+
"logs-crowdstrike.fdr*",
11+
"logs-endpoint.events.process-*",
12+
"logs-m365_defender.event-*",
13+
"logs-sentinel_one_cloud_funnel.*",
14+
"logs-system.security*",
15+
"logs-windows.sysmon_operational-*",
16+
"winlogbeat-*"
17+
],
18+
"language": "eql",
19+
"license": "Elastic License v2",
20+
"name": "Remote Management Access Launch After MSI Install",
21+
"note": "## Triage and analysis\n\n### Investigating Remote Management Access Launch After MSI Install\n\nThis rule fires when the same host runs msiexec with an install argument (/i) and within one minute starts a pre-configured RMM software.\n\n### Possible investigation steps\n\n- Confirm the sequence on the host: first event should be msiexec.exe with process.args containing \"/i\"; second should be a remote management software.\n- Review the source of the MSI file using file events.\n- Check whether use of RMM software is approved for this host.\n- Check network events to validate which remote host the RMM software connects to.\n- Correlate with other alerts for the same host (initial access, persistence, C2).\n\n### False positive analysis\n\n- Legitimate IT/MSP deployment of RMM for support.\n\n### Response and remediation\n\n- If unauthorized RMM use or abuse is confirmed: isolate the host, terminate the ScreenConnect client, remove or block the installation, and investigate how the MSI was delivered and who operates the relay.\n",
22+
"query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"msiexec.exe\" and \n process.args : (\"/i*\", \"-i*\") and process.parent.name : (\"explorer.exe\", \"sihost.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"ScreenConnect.ClientService.exe\" and process.command_line : \"*?e=Access&y=Guest&h*&k=*\") or\n (process.name : \"Syncro.Installer.exe\" and process.args : \"--config-json\" and process.args : \"--key\") or \n process.name : (\"tvnserver.exe\", \"winvnc.exe\") \n )]\n",
23+
"references": [
24+
"https://attack.mitre.org/techniques/T1219/"
25+
],
26+
"related_integrations": [
27+
{
28+
"package": "endpoint",
29+
"version": "^8.2.0"
30+
},
31+
{
32+
"package": "windows",
33+
"version": "^3.0.0"
34+
},
35+
{
36+
"package": "sentinel_one_cloud_funnel",
37+
"version": "^1.0.0"
38+
},
39+
{
40+
"package": "m365_defender",
41+
"version": "^3.0.0"
42+
},
43+
{
44+
"package": "system",
45+
"version": "^2.0.0"
46+
},
47+
{
48+
"package": "crowdstrike",
49+
"version": "^3.0.0"
50+
}
51+
],
52+
"required_fields": [
53+
{
54+
"ecs": true,
55+
"name": "event.type",
56+
"type": "keyword"
57+
},
58+
{
59+
"ecs": true,
60+
"name": "host.id",
61+
"type": "keyword"
62+
},
63+
{
64+
"ecs": true,
65+
"name": "host.os.type",
66+
"type": "keyword"
67+
},
68+
{
69+
"ecs": true,
70+
"name": "process.args",
71+
"type": "keyword"
72+
},
73+
{
74+
"ecs": true,
75+
"name": "process.command_line",
76+
"type": "wildcard"
77+
},
78+
{
79+
"ecs": true,
80+
"name": "process.name",
81+
"type": "keyword"
82+
},
83+
{
84+
"ecs": true,
85+
"name": "process.parent.name",
86+
"type": "keyword"
87+
}
88+
],
89+
"risk_score": 47,
90+
"rule_id": "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d",
91+
"severity": "medium",
92+
"tags": [
93+
"Domain: Endpoint",
94+
"OS: Windows",
95+
"Use Case: Threat Detection",
96+
"Tactic: Command and Control",
97+
"Resources: Investigation Guide",
98+
"Data Source: Elastic Defend",
99+
"Data Source: Sysmon",
100+
"Data Source: SentinelOne",
101+
"Data Source: Microsoft Defender for Endpoint",
102+
"Data Source: Crowdstrike",
103+
"Data Source: Windows Security Event Logs",
104+
"Data Source: Elastic Endgame"
105+
],
106+
"threat": [
107+
{
108+
"framework": "MITRE ATT&CK",
109+
"tactic": {
110+
"id": "TA0011",
111+
"name": "Command and Control",
112+
"reference": "https://attack.mitre.org/tactics/TA0011/"
113+
},
114+
"technique": [
115+
{
116+
"id": "T1219",
117+
"name": "Remote Access Tools",
118+
"reference": "https://attack.mitre.org/techniques/T1219/",
119+
"subtechnique": [
120+
{
121+
"id": "T1219.002",
122+
"name": "Remote Desktop Software",
123+
"reference": "https://attack.mitre.org/techniques/T1219/002/"
124+
}
125+
]
126+
}
127+
]
128+
}
129+
],
130+
"timestamp_override": "event.ingested",
131+
"type": "eql",
132+
"version": 2
133+
},
134+
"id": "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d_2",
135+
"type": "security-rule"
136+
}
Lines changed: 138 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,138 @@
1+
{
2+
"attributes": {
3+
"author": [
4+
"Elastic"
5+
],
6+
"description": "This rule correlates alerts from multiple integrations and event categories that involve different user.name values which may represent the same real-world identity. It uses an LLM-based similarity analysis to evaluate whether multiple user identifiers (e.g. naming variations, formats, aliases, or domain differences) likely belong to the same person.",
7+
"from": "now-60m",
8+
"interval": "30m",
9+
"language": "esql",
10+
"license": "Elastic License v2",
11+
"name": "Correlated Alerts on Similar User Identities",
12+
"note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, analysts should validate findings against their environment and identity architecture.\n\n### Investigating Correlated Alerts on Similar User Identities\n\nThis rule identifies alerts from multiple integrations and event categories involving different `user.name` values that may represent the same real-world identity.\nAn LLM is used to assess string similarity and naming patterns to determine whether multiple user identifiers likely belong to the same person, which may indicate account compromise, credential abuse, or identity misuse across systems.\n\n### Possible investigation steps\n\n- Review the correlated `user.name` values and validate whether they represent naming variations, aliases, or identity mappings.\n- Examine the LLM output fields (`verdict`, `confidence`, `summary`) as decision support, not ground truth.\n- Analyze the diversity of alert sources, event categories, and detection rules involved.\n- Reconstruct the alert timeline to identify potential stages such as initial access, lateral movement, privilege escalation, or persistence.\n- Correlate with authentication logs, IAM/SSO telemetry, EDR data, and network logs to identify shared sessions, IPs, devices, or hosts.\n- Validate identities against directory services, identity providers, and federation mappings.\n\n### False positive analysis\n\n- Identity format variations across systems (e.g., `first.last`, `flast`, `user@domain`).\n- Federated identity mappings between on-prem, cloud, and SaaS platforms.\n- Service, automation, and CI/CD accounts with similar naming conventions.\n- Separate admin and standard user accounts for the same individual.\n- Shared credentials or naming templates in development and test environments.\n\n### Response and remediation\n\n- Temporarily disable or suspend correlated accounts if compromise is suspected.\n- Revoke active sessions, tokens, and credentials.\n- Investigate access scope, privileges, and lateral movement paths.\n- Perform endpoint and identity forensics to identify persistence mechanisms.\n- Remediate IAM misconfigurations and federation issues.\n- Enhance monitoring for identity correlation, credential misuse, and cross-platform abuse..",
13+
"query": "from .alerts-security.*\n\n// truncate timestamp to 5-minute window\n| eval Esql.time_window_date_trunc = date_trunc(5 minutes, @timestamp)\n\n// high severity alerts excluding system standard user.ids\n| where kibana.alert.rule.name is not null and user.name is not null and kibana.alert.risk_score >= 73 and kibana.alert.workflow_status == \"open\" and \n not kibana.alert.rule.type in (\"threat_match\", \"machine_learning\") and\n not user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\", \"0\")\n\n// group alerts by short time window and extract values of interest for alert triage\n| stats Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),\n Esql.user_name_distinct_count = COUNT_DISTINCT(user.name),\n Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name),\n Esql.event_category_distinct_count = COUNT_DISTINCT(event.category),\n Esql.rule_risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score),\n Esql.event_module_values = VALUES(event.module),\n Esql.rule_name_values = VALUES(kibana.alert.rule.name),\n Esql.message_values = VALUES(message),\n Esql.event_category_values = VALUES(event.category),\n Esql.event_action_values = VALUES(event.action),\n Esql.source_ip_values = VALUES(source.ip),\n Esql.destination_ip_values = VALUES(destination.ip),\n Esql.host_id_values = VALUES(host.id),\n Esql.agent_id_values = VALUES(agent.id),\n Esql.rule_severity_values = VALUES(kibana.alert.risk_score),\n Esql.user_name_values = VALUES(user.name) by Esql.time_window_date_trunc\n\n// filter for alerts from different integrations with unique categories\n| where Esql.event_module_distinct_count >= 2 and Esql.user_name_distinct_count >= 2 and Esql.event_category_distinct_count >= 2\n\n// build context for LLM analysis\n| eval users_list = MV_CONCAT(Esql.user_name_values, \",\")\n\n// LLM analysis\n| eval instructions = \"Analyze the provided user names and return a boolean value true if at least 2 of them are similar and they may belong to the same human identify or false if not, do not compare user names that may look like service accounts. If the list of users has more than 2 users and only 2 of them are similar consider this as true. Structure the output as follows: verdict=<verdict> confidence=<score between 0.0 and 1.0> summary=<short reason max 500 words> without any other response statements on a single line.\"\n| eval prompt = CONCAT(\"User identities extracted from different alerts: \", users_list, instructions)\n| COMPLETION triage_result = prompt WITH { \"inference_id\": \".gp-llm-v2-completion\"}\n\n// parse LLM response\n| DISSECT triage_result \"\"\"verdict=%{Esql.verdict} confidence=%{Esql.confidence} summary=%{Esql.summary}\"\"\"\n\n// filter for similar user values\n| where TO_LOWER(Esql.verdict) == \"true\"\n| keep Esql.*\n",
14+
"references": [
15+
"https://www.elastic.co/docs/reference/query-languages/esql/esql-commands#esql-completion",
16+
"https://www.elastic.co/security-labs/elastic-advances-llm-security"
17+
],
18+
"required_fields": [
19+
{
20+
"ecs": false,
21+
"name": "Esql.agent_id_values",
22+
"type": "keyword"
23+
},
24+
{
25+
"ecs": false,
26+
"name": "Esql.confidence",
27+
"type": "keyword"
28+
},
29+
{
30+
"ecs": false,
31+
"name": "Esql.destination_ip_values",
32+
"type": "ip"
33+
},
34+
{
35+
"ecs": false,
36+
"name": "Esql.event_action_values",
37+
"type": "keyword"
38+
},
39+
{
40+
"ecs": false,
41+
"name": "Esql.event_category_distinct_count",
42+
"type": "long"
43+
},
44+
{
45+
"ecs": false,
46+
"name": "Esql.event_category_values",
47+
"type": "keyword"
48+
},
49+
{
50+
"ecs": false,
51+
"name": "Esql.event_module_distinct_count",
52+
"type": "long"
53+
},
54+
{
55+
"ecs": false,
56+
"name": "Esql.event_module_values",
57+
"type": "keyword"
58+
},
59+
{
60+
"ecs": false,
61+
"name": "Esql.host_id_values",
62+
"type": "keyword"
63+
},
64+
{
65+
"ecs": false,
66+
"name": "Esql.message_values",
67+
"type": "keyword"
68+
},
69+
{
70+
"ecs": false,
71+
"name": "Esql.rule_name_distinct_count",
72+
"type": "long"
73+
},
74+
{
75+
"ecs": false,
76+
"name": "Esql.rule_name_values",
77+
"type": "keyword"
78+
},
79+
{
80+
"ecs": false,
81+
"name": "Esql.rule_risk_score_distinct_count",
82+
"type": "long"
83+
},
84+
{
85+
"ecs": false,
86+
"name": "Esql.rule_severity_values",
87+
"type": "long"
88+
},
89+
{
90+
"ecs": false,
91+
"name": "Esql.source_ip_values",
92+
"type": "ip"
93+
},
94+
{
95+
"ecs": false,
96+
"name": "Esql.summary",
97+
"type": "keyword"
98+
},
99+
{
100+
"ecs": false,
101+
"name": "Esql.time_window_date_trunc",
102+
"type": "date"
103+
},
104+
{
105+
"ecs": false,
106+
"name": "Esql.user_name_distinct_count",
107+
"type": "long"
108+
},
109+
{
110+
"ecs": false,
111+
"name": "Esql.user_name_values",
112+
"type": "keyword"
113+
},
114+
{
115+
"ecs": false,
116+
"name": "Esql.verdict",
117+
"type": "keyword"
118+
}
119+
],
120+
"risk_score": 73,
121+
"rule_id": "1bb329a5-2168-4da5-b7b9-d42a51deb6dd",
122+
"setup": "## Setup\n\n### LLM Configuration\n\nThis rule uses the ES|QL COMPLETION command with Elastic's managed General Purpose LLM v2 (`.gp-llm-v2-completion`),\nwhich is available out-of-the-box in Elastic Cloud deployments with an appropriate subscription.\n\nTo use a different LLM provider (Azure OpenAI, Amazon Bedrock, OpenAI, or Google Vertex), configure a connector\nfollowing the [LLM connector documentation](https://www.elastic.co/docs/explore-analyze/ai-features/llm-guides/llm-connectors)\nand update the `inference_id` parameter in the query to reference your configured connector.\n",
123+
"severity": "high",
124+
"tags": [
125+
"Domain: Identity",
126+
"Domain: LLM",
127+
"Use Case: Threat Detection",
128+
"Use Case: Identity and Access Audit",
129+
"Resources: Investigation Guide",
130+
"Rule Type: Higher-Order Rule"
131+
],
132+
"timestamp_override": "event.ingested",
133+
"type": "esql",
134+
"version": 3
135+
},
136+
"id": "1bb329a5-2168-4da5-b7b9-d42a51deb6dd_3",
137+
"type": "security-rule"
138+
}

0 commit comments

Comments
 (0)