Skip to content

[Security Rules] Update security rules package to v8.19.20-beta.2 #18282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shashank-elastic merged 2 commits into from
Apr 8, 2026
Merged

[Security Rules] Update security rules package to v8.19.20-beta.2 #18282

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a9858d9
[Security Rules] Update security rules package to v8.19.20-beta.2
tradebot-elastic Apr 8, 2026
f121d42
Add changelog entry for 8.19.20-beta.2
tradebot-elastic Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/security_detection_engine/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# newer versions go on top
# NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production
- version: 8.19.20-beta.2
changes:
- description: Release security rules update
type: enhancement
link: https://github.com/elastic/integrations/pull/18282
- version: 8.19.20-beta.1
changes:
- description: Release security rules update
Expand Down
136 changes: 136 additions & 0 deletions ...ecurity_detection_engine/kibana/security_rule/1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d_2.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
{
"attributes": {
"author": [
"Elastic"
],
"description": "Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect. This behavior may indicate abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.",
"from": "now-9m",
"index": [
"endgame-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Remote Management Access Launch After MSI Install",
"note": "## Triage and analysis\n\n### Investigating Remote Management Access Launch After MSI Install\n\nThis rule fires when the same host runs msiexec with an install argument (/i) and within one minute starts a pre-configured RMM software.\n\n### Possible investigation steps\n\n- Confirm the sequence on the host: first event should be msiexec.exe with process.args containing \"/i\"; second should be a remote management software.\n- Review the source of the MSI file using file events.\n- Check whether use of RMM software is approved for this host.\n- Check network events to validate which remote host the RMM software connects to.\n- Correlate with other alerts for the same host (initial access, persistence, C2).\n\n### False positive analysis\n\n- Legitimate IT/MSP deployment of RMM for support.\n\n### Response and remediation\n\n- If unauthorized RMM use or abuse is confirmed: isolate the host, terminate the ScreenConnect client, remove or block the installation, and investigate how the MSI was delivered and who operates the relay.\n",
"query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"msiexec.exe\" and \n process.args : (\"/i*\", \"-i*\") and process.parent.name : (\"explorer.exe\", \"sihost.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"ScreenConnect.ClientService.exe\" and process.command_line : \"*?e=Access&y=Guest&h*&k=*\") or\n (process.name : \"Syncro.Installer.exe\" and process.args : \"--config-json\" and process.args : \"--key\") or \n process.name : (\"tvnserver.exe\", \"winvnc.exe\") \n )]\n",
"references": [
"https://attack.mitre.org/techniques/T1219/"
],
"related_integrations": [
{
"package": "endpoint",
"version": "^8.2.0"
},
{
"package": "windows",
"version": "^3.0.0"
},
{
"package": "sentinel_one_cloud_funnel",
"version": "^1.0.0"
},
{
"package": "m365_defender",
"version": "^3.0.0"
},
{
"package": "system",
"version": "^2.0.0"
},
{
"package": "crowdstrike",
"version": "^3.0.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "host.id",
"type": "keyword"
},
{
"ecs": true,
"name": "host.os.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.command_line",
"type": "wildcard"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d",
"severity": "medium",
"tags": [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Crowdstrike",
"Data Source: Windows Security Event Logs",
"Data Source: Elastic Endgame"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1219",
"name": "Remote Access Tools",
"reference": "https://attack.mitre.org/techniques/T1219/",
"subtechnique": [
{
"id": "T1219.002",
"name": "Remote Desktop Software",
"reference": "https://attack.mitre.org/techniques/T1219/002/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 2
},
"id": "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d_2",
"type": "security-rule"
}
138 changes: 138 additions & 0 deletions ...ecurity_detection_engine/kibana/security_rule/1bb329a5-2168-4da5-b7b9-d42a51deb6dd_3.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
{
"attributes": {
"author": [
"Elastic"
],
"description": "This rule correlates alerts from multiple integrations and event categories that involve different user.name values which may represent the same real-world identity. It uses an LLM-based similarity analysis to evaluate whether multiple user identifiers (e.g. naming variations, formats, aliases, or domain differences) likely belong to the same person.",
"from": "now-60m",
"interval": "30m",
"language": "esql",
"license": "Elastic License v2",
"name": "Correlated Alerts on Similar User Identities",
"note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, analysts should validate findings against their environment and identity architecture.\n\n### Investigating Correlated Alerts on Similar User Identities\n\nThis rule identifies alerts from multiple integrations and event categories involving different `user.name` values that may represent the same real-world identity.\nAn LLM is used to assess string similarity and naming patterns to determine whether multiple user identifiers likely belong to the same person, which may indicate account compromise, credential abuse, or identity misuse across systems.\n\n### Possible investigation steps\n\n- Review the correlated `user.name` values and validate whether they represent naming variations, aliases, or identity mappings.\n- Examine the LLM output fields (`verdict`, `confidence`, `summary`) as decision support, not ground truth.\n- Analyze the diversity of alert sources, event categories, and detection rules involved.\n- Reconstruct the alert timeline to identify potential stages such as initial access, lateral movement, privilege escalation, or persistence.\n- Correlate with authentication logs, IAM/SSO telemetry, EDR data, and network logs to identify shared sessions, IPs, devices, or hosts.\n- Validate identities against directory services, identity providers, and federation mappings.\n\n### False positive analysis\n\n- Identity format variations across systems (e.g., `first.last`, `flast`, `user@domain`).\n- Federated identity mappings between on-prem, cloud, and SaaS platforms.\n- Service, automation, and CI/CD accounts with similar naming conventions.\n- Separate admin and standard user accounts for the same individual.\n- Shared credentials or naming templates in development and test environments.\n\n### Response and remediation\n\n- Temporarily disable or suspend correlated accounts if compromise is suspected.\n- Revoke active sessions, tokens, and credentials.\n- Investigate access scope, privileges, and lateral movement paths.\n- Perform endpoint and identity forensics to identify persistence mechanisms.\n- Remediate IAM misconfigurations and federation issues.\n- Enhance monitoring for identity correlation, credential misuse, and cross-platform abuse..",
"query": "from .alerts-security.*\n\n// truncate timestamp to 5-minute window\n| eval Esql.time_window_date_trunc = date_trunc(5 minutes, @timestamp)\n\n// high severity alerts excluding system standard user.ids\n| where kibana.alert.rule.name is not null and user.name is not null and kibana.alert.risk_score >= 73 and kibana.alert.workflow_status == \"open\" and \n not kibana.alert.rule.type in (\"threat_match\", \"machine_learning\") and\n not user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\", \"0\")\n\n// group alerts by short time window and extract values of interest for alert triage\n| stats Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),\n Esql.user_name_distinct_count = COUNT_DISTINCT(user.name),\n Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name),\n Esql.event_category_distinct_count = COUNT_DISTINCT(event.category),\n Esql.rule_risk_score_distinct_count = COUNT_DISTINCT(kibana.alert.risk_score),\n Esql.event_module_values = VALUES(event.module),\n Esql.rule_name_values = VALUES(kibana.alert.rule.name),\n Esql.message_values = VALUES(message),\n Esql.event_category_values = VALUES(event.category),\n Esql.event_action_values = VALUES(event.action),\n Esql.source_ip_values = VALUES(source.ip),\n Esql.destination_ip_values = VALUES(destination.ip),\n Esql.host_id_values = VALUES(host.id),\n Esql.agent_id_values = VALUES(agent.id),\n Esql.rule_severity_values = VALUES(kibana.alert.risk_score),\n Esql.user_name_values = VALUES(user.name) by Esql.time_window_date_trunc\n\n// filter for alerts from different integrations with unique categories\n| where Esql.event_module_distinct_count >= 2 and Esql.user_name_distinct_count >= 2 and Esql.event_category_distinct_count >= 2\n\n// build context for LLM analysis\n| eval users_list = MV_CONCAT(Esql.user_name_values, \",\")\n\n// LLM analysis\n| eval instructions = \"Analyze the provided user names and return a boolean value true if at least 2 of them are similar and they may belong to the same human identify or false if not, do not compare user names that may look like service accounts. If the list of users has more than 2 users and only 2 of them are similar consider this as true. Structure the output as follows: verdict=<verdict> confidence=<score between 0.0 and 1.0> summary=<short reason max 500 words> without any other response statements on a single line.\"\n| eval prompt = CONCAT(\"User identities extracted from different alerts: \", users_list, instructions)\n| COMPLETION triage_result = prompt WITH { \"inference_id\": \".gp-llm-v2-completion\"}\n\n// parse LLM response\n| DISSECT triage_result \"\"\"verdict=%{Esql.verdict} confidence=%{Esql.confidence} summary=%{Esql.summary}\"\"\"\n\n// filter for similar user values\n| where TO_LOWER(Esql.verdict) == \"true\"\n| keep Esql.*\n",
"references": [
"https://www.elastic.co/docs/reference/query-languages/esql/esql-commands#esql-completion",
"https://www.elastic.co/security-labs/elastic-advances-llm-security"
],
"required_fields": [
{
"ecs": false,
"name": "Esql.agent_id_values",
"type": "keyword"
},
{
"ecs": false,
"name": "Esql.confidence",
"type": "keyword"
},
{
"ecs": false,
"name": "Esql.destination_ip_values",
"type": "ip"
},
{
"ecs": false,
"name": "Esql.event_action_values",
"type": "keyword"
},
{
"ecs": false,
"name": "Esql.event_category_distinct_count",
"type": "long"
},
{
"ecs": false,
"name": "Esql.event_category_values",
"type": "keyword"
},
{
"ecs": false,
"name": "Esql.event_module_distinct_count",
"type": "long"
},
{
"ecs": false,
"name": "Esql.event_module_values",
"type": "keyword"
},
{
"ecs": false,
"name": "Esql.host_id_values",
"type": "keyword"
},
{
"ecs": false,
"name": "Esql.message_values",
"type": "keyword"
},
{
"ecs": false,
"name": "Esql.rule_name_distinct_count",
"type": "long"
},
{
"ecs": false,
"name": "Esql.rule_name_values",
"type": "keyword"
},
{
"ecs": false,
"name": "Esql.rule_risk_score_distinct_count",
"type": "long"
},
{
"ecs": false,
"name": "Esql.rule_severity_values",
"type": "long"
},
{
"ecs": false,
"name": "Esql.source_ip_values",
"type": "ip"
},
{
"ecs": false,
"name": "Esql.summary",
"type": "keyword"
},
{
"ecs": false,
"name": "Esql.time_window_date_trunc",
"type": "date"
},
{
"ecs": false,
"name": "Esql.user_name_distinct_count",
"type": "long"
},
{
"ecs": false,
"name": "Esql.user_name_values",
"type": "keyword"
},
{
"ecs": false,
"name": "Esql.verdict",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "1bb329a5-2168-4da5-b7b9-d42a51deb6dd",
"setup": "## Setup\n\n### LLM Configuration\n\nThis rule uses the ES|QL COMPLETION command with Elastic's managed General Purpose LLM v2 (`.gp-llm-v2-completion`),\nwhich is available out-of-the-box in Elastic Cloud deployments with an appropriate subscription.\n\nTo use a different LLM provider (Azure OpenAI, Amazon Bedrock, OpenAI, or Google Vertex), configure a connector\nfollowing the [LLM connector documentation](https://www.elastic.co/docs/explore-analyze/ai-features/llm-guides/llm-connectors)\nand update the `inference_id` parameter in the query to reference your configured connector.\n",
"severity": "high",
"tags": [
"Domain: Identity",
"Domain: LLM",
"Use Case: Threat Detection",
"Use Case: Identity and Access Audit",
"Resources: Investigation Guide",
"Rule Type: Higher-Order Rule"
],
"timestamp_override": "event.ingested",
"type": "esql",
"version": 3
},
"id": "1bb329a5-2168-4da5-b7b9-d42a51deb6dd_3",
"type": "security-rule"
}
Loading
Loading