Downloadable rule updates
editDownloadable rule updates
editThis section lists all updates to prebuilt detection rules, made available with the Prebuilt Security Detection Rules integration in Fleet.
To update your installed rules to the latest versions, follow the instructions in Download latest Elastic prebuilt rules.
For previous rule updates, please navigate to the last version.
Update version | Date | New rules | Updated rules | Notes |
---|---|---|---|---|
18 Sep 2023 |
5 |
7 |
This release includes new rules for Windows, Linux and Github. Github rules have officially been added to the prebuilt rules package. New rules for Windows include additional detection for suspicious shorcut files, WMI execution and persistence via Office documents. Regarding, Linux include additional detection for reverse shells via UDP and Meterpreter. Windows rules have been tuned for better rule efficacy. |
|
07 Sep 2023 |
14 |
505 |
This release includes new rules for Windows, Linux and macOS. New rules for Windows include additional detection for LOLBins, credential access and defense evasion. Regarding, Linux include additional detection for privilege escalation, user enumeration and anomalous binary execution. New detection for macOS includes trap signal execution, hidden files and suspicious process relationships. Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy. |
|
17 Aug 2023 |
10 |
29 |
This release includes new Linux rules for detecting additional privilege escalation and enumeration techniques.
Additionally, a Windows rule has been added to detection PowerShell script execution with Webcam access.
The |
|
02 Aug 2023 |
5 |
62 |
This release includes new building block rules for Windows and Linux. Additionally, threat intel indicator rules have been deprecated in favor of new categorized indicator rules. Windows, Linux and Kubernetes rules have been tuned for better rule efficacy. |
|
14 Jul 2023 |
20 |
27 |
This release includes new rules for Linux regarding reverse shells, credential access and reconnaissance. Additionally, Windows rules for PowerShell and WMI abuse have been tuned for better rule efficacy. Linux rule tuning included detection for shadow files, abnormal PID relationships and brute forcing attempts. |
|
29 Jun 2023 |
4 |
8 |
This release includes new Threat Indicator rules for IP addresses, domains, URLs, file hashes and Windows registry keys. Additionally, Windows rules for PowerShell abuse have been tuned for better rule efficacy. |
|
28 Jun 2023 |
8 |
786 |
This release includes new Linux rules for detecting additional privilege escalation and enumeration techniques. Additionally, a new cross-platform rule for detecting command-and-control to Google Drive has been added. All rule tags have been adjusted to key value pairs for better rule searching and filtering in the Kibana UI. All network rules have been adjusted to query the network packet capture data indices. Rule tuning for Windows and Linux rules has been added for better rule efficacy. |
|
14 Jun 2023 |
3 |
4 |
This release includes rule tuning for Windows rules for better rule efficacy. Rules tuned include WMI lateral movement, PowerShell Engine ImageLoad and unusual files created from alternate data streams. New Linux rules regarding suspicious process and Systemd service or timer relationships have been added. |
|
01 Jun 2023 |
1 |
35 |
This release includes a new Linux rule for SSH brute force detection. Additionally, new investigation guides for Google Workspace and Windows rules have been added. Rule tuning for Linux, Google Workspace and Windows rules have been added for better rule efficacy. |
|
19 May 2023 |
8 |
46 |
This release includes new rules for Linux and a new rule for Windows. New rules for Linux include detection for ransomware, credential dumping and web server exploitation. New Terms rules have been added for Linux to detect persistence techniques. A rule to detect web shells in Linux has been deprecated in favor of the new web server exploitation rule. Another rule to detect commonly abused remote administration tools on Windows has also been added. Additionally, significant rule tuning for Windows, AWS and Linux rules has been added for better rule efficacy. |
|
27 Apr 2023 |
9 |
14 |
This release includes new rules for Windows, Linux, Google Workspace and ESXI. Additionally, significant rule tuning for Windows, Linux and Google Workspace has been added for better rule efficacy. Detection logic for Linux shell breakouts, Windows process injection and credential access has been improved. A Google Workspace rule has been added to detect potential phishing with Google Apps Script. Several ESXI rules have been added to detect discovery commands, timestomping and suspicious processes. |
|
12 Apr 2023 |
11 |
566 |
This release includes new rules for Windows, Linux and Google Workspace. Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy. New Google Workspace rules leveraging the token (OAuth) data stream were added. Additional investigation guides for Windows rules have also been added to this release. A new rule for detecting cryptominers on Linux has also been included. |
|
15 Feb 2023 |
29 |
110 |
This release includes new rules for Windows and Linux endpoints. Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy. A Google Workspace promotional rule was added to promote security alerts from the Alert Center. Machine learning rules related to failed logins have been adjusted for better scoring results. Additional investigation guides have been added for Windows and Linux rules. A New Terms rule has been created to identify loaded Windows drivers not seen in the last 30 days. A guided onboarding rule has been created to assist new SIEM users with getting started. |