Downloadable rule updates

edit

This section lists all updates to prebuilt detection rules, made available with the Prebuilt Security Detection Rules integration in Fleet.

To update your installed rules to the latest versions, follow the instructions in Update Elastic prebuilt rules.

For previous rule updates, please navigate to the last version.

Update version Date New rules Updated rules Notes

8.10.18

06 May 2024

0

0

This version bump is a result of an out of band update. No rules require an update to this version.

8.10.17

30 Apr 2024

2

2

This release includes new rules for Linux and Windows and tuned rules for Linux. New rules for Linux include detection for persistence. New rules for Windows include detection for privilege escalation. Additionally, significant rule tuning for Linux rules has been added for better rule efficacy and performance.

8.10.16

23 Apr 2024

11

110

This release includes new rules and tuned rules for Windows. New rules for Windows include detection for potential windows session hijacking via CcmExec. Additionally, significant rule tuning for Windows rules has been added for better rule efficacy and performance.

8.10.15

03 Apr 2024

8

231

This release includes new rules for Linux and Windows and tuned rules for Windows. Deprecated rules include Remote File Creation on a Sensitive Directory New rules for Linux include detection for persistence. New rules for Windows include detection for credential access, initial access, discovery and command and control. Additionally, significant rule tuning for Windows rules has been added for better rule efficacy and performance.

8.10.14

25 Mar 2024

5

540

This release includes new rules for Linux and Windows and tuned rules for Linux, Windows and macOS. New rules for Linux include detection for execution. New rules for Windows include detection for credential access. Additionally, significant rule tuning for Windows, Linux and macOS rules has been added for better rule efficacy and performance.

8.10.13

07 Mar 2024

9

7

This release includes significant rule tuning for Linux rules for better rule efficacy and performance.

8.10.12

23 Feb 2024

5

32

This release includes a new rule for Windows detection of suspicious execution from INET cache. Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy and performance.

8.10.11

08 Feb 2024

10

6

This release includes new and tuned rules for Linux and Windows. New rules for Linux include detection for discovery, persistence, privilege escalation and defense evasion. New rules for Windows include detection for Active Directory enumeration. Additionally, significant rule tuning for Windows, Linux and macOS rules has been added for better rule efficacy and performance.

8.10.10

25 Jan 2024

12

163

This release includes new rules for Windows, Linux, Containers and GitHub. New rules for Windows include detection for evasion via Windows Filtering Platform. Linux rules for endpoints include detection for kernel driver loading and buffer overflow exploitation. Container rules for Linux include detection for container breakout via modified release agent files. Several new GitHub rules have been added for detection of suspicious activity related to IP addresses, tokens and repositories. Additionally, significant rule tuning for Windows, Linux and macOS rules has been added for better rule efficacy and performance.

8.10.9

03 Jan 2024

1

62

This release includes a new Linux rule for detecting reverse TCP shells through child processes. Deprecated rules include Malicious Remote File Creation and Potential Process Herpaderping Attempt. Several Windows rules with EQL queries have been tuned for better rule efficacy and performance. An Okta rule for MFA deactivation has been tuned to reduce false positives. Rule content has been updated for several Windows, Linux and Okta rules to improve clarity and accuracy.

8.10.8

14 Dec 2023

7

35

This release includes new Windows and Linux rules. New rules for Windows include detection for processes created with duplicated tokens and interactive logons. Linux rules include detection for Out-of-Tree kernel module loading, persistence through Systemd-udevd and Kworker UID elevation. Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy.

8.10.7

28 Nov 2023

11

68

This release includes new rules for Okta and Windows. New rules for Okta include anomalous authentication events into the admin console and 3rd party applications. The new rule for Windows checks for the first time one has seen a NewCredentials logon process. Additionally included is a tuning for an Okta rule detecting MFA bombing via push notifications.

8.10.6

14 Nov 2023

2

366

This release includes new machine learning and Linux rules. New rules for Linux include detection for suspicious network connections via Kworker, kernel ring buffer manipulation and driver loading. Additionally, significant rule tuning for Windows, Linux and macOS rules has been added for better rule efficacy.

8.10.5

24 Oct 2023

28

279

This release includes new rules for Windows and Linux. New rules for Windows include detection for image loading with invalid signatures. Linux rules include additional detection for suspicious Unix socket connections, privilege esvalation via cap_setuid and reverse shells. Several building block rules have been added for Linux and Windows regarding user entity behavior. Machine learning rules for Domain Generation Algorithms (DGA) and Lateral Movement Detection (LMD) analytic packages have been moved to prebuilt rules. Machine learning rules for Living-off-the-Land (LotL) Detection, and Data Exfiltration Detection (DED) analytic packages have been migrated to the prebuilt rules as well. Additionally, lucene queries using boolean logic have been updated to use uppercase operators.

8.10.4

14 Oct 2023

21

56

This release includes new rules for GitHub, Windows and Linux. New rules for GitHub include detection for organization wide applications and new repository owners. Linux rules include detection for CVE-2023-4911 and CVE-2023-38646 exploitation and reverse shells via background processes. Windows rules include detection for suspicious file extensions and user enumeration. Additionally, significant rule tuning for Windows PowerShell and Microsoft Build Engine rules has been added for better rule efficacy.

8.10.3

18 Sep 2023

5

7

This release includes new rules for Windows, Linux and Github. Github rules have officially been added to the prebuilt rules package. New rules for Windows include additional detection for suspicious shorcut files, WMI execution and persistence via Office documents. Regarding, Linux include additional detection for reverse shells via UDP and Meterpreter. Windows rules have been tuned for better rule efficacy.

8.10.2

07 Sep 2023

14

505

This release includes new rules for Windows, Linux and macOS. New rules for Windows include additional detection for LOLBins, credential access and defense evasion. Regarding, Linux include additional detection for privilege escalation, user enumeration and anomalous binary execution. New detection for macOS includes trap signal execution, hidden files and suspicious process relationships. Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy.

8.10.1

17 Aug 2023

10

29

This release includes new Linux rules for detecting additional privilege escalation and enumeration techniques. Additionally, a Windows rule has been added to detection PowerShell script execution with Webcam access. The Suspicious Network Connection Attempt by Root Linux rule has been deprecated in favor of the new privilege escalation rules. Rule tuning for Windows and Linux rules has been added for better rule efficacy.