Downloadable rule updates

edit

This section lists all updates to prebuilt detection rules, made available with the Prebuilt Security Detection Rules integration in Fleet.

To update your installed rules to the latest versions, follow the instructions in Update Elastic prebuilt rules.

For previous rule updates, please navigate to the last version.

Update version Date New rules Updated rules Notes

8.12.26

28 Oct 2024

6

117

This release includes significant rule tuning for Linux, Amazon Bedrock and Okta rules for better rule efficacy and performance.

8.12.25

16 Oct 2024

1

29

This release includes a new rule for Windows credential access detection. Additionally, significant rule tuning for Windows, Sysmon, Microsoft Defender for Endpoint and SentinelOne rules has been added for better rule efficacy and performance.

8.12.24

10 Oct 2024

4

0

This release includes a new rule for Okta integration initial access detection. Additionally, significant rule tuning for ESQL queries has been added to include required metadata and achieve best practices for performance.

8.12.23

01 Oct 2024

6

175

This release includes new rules for Windows and Linux. New rules for Windows include detection for defense evasion. New rules for Linux include detection for CUPS Vulnerability exploitation including coverage for CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 vulnerabilities. Additionally, significant rule tuning for Windows, AWS, AWS Bedrock and Microsoft 365 rules has been added for better rule efficacy and performance.

8.12.22

17 Sep 2024

17

5

This release includes new rules for Windows,Linux, MacOS, AWS Bedrock, Azure, Okta and Microsoft 365 integration. New rules for Windows include detection for privilege escalation, command and control, persistence, defense evasion and execution. New rules for Linux include detection for defense evasion, execution and credential access. New rules for MacOS include detection for privilege escalation. New rules for AWS Bedrock include detection for impact. New rules for Azure include detection for credential access. New Rules for Okta include detection for defense evasion. New Rules for Microsoft 365 include detection for initial access. Additionally, significant rule tuning for Windows , Linux and Microsoft 365 rules has been added for better rule efficacy and performance.

8.12.21

03 Sep 2024

9

5

This release includes new rules for Linux and AWS integration. New rules for Linux include detection for defense evasion and execution. New rules for AWS include detection for discovery, initial access, execution, and defense evasion. Additionally, significant rule tuning for Windows and MacOS rules has been added for better rule efficacy and performance.

8.12.20

21 Aug 2024

1

183

This release includes a new rule for Linux defense evasion detection. Additionally, significant rule tuning for Windows, Linux and AWS integration rules has been added for better rule efficacy and performance.

8.12.19

06 Aug 2024

7

42

This release includes new rules for Windows and AWS integration. New rules for Windows include detection for credential access and command and control. New rules for AWS include detection for execution, credential access, persistence and lateral movement. Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy and performance.

8.12.18

25 Jul 2024

14

67

This release includes new rules for Windows, Linux , and AWS integration. Deprecated rules include Suspicious File Changes Activity Detected. New rules for Windows include detection for lateral movement, credential access and defense evasion. New rules for Linux include detection for privilege escalation, execution, and persistence. New rules for AWS include detection for exfiltration, defense evasion and impact. Additionally, significant rule tuning for Windows, Linux, AWS, Google Workplace and Okta integration rules has been added for better rule efficacy and performance.

8.12.17

09 Jul 2024

9

13

This release includes new rules for Windows, Linux , AWS and Azure integration. New rules for Windows include detection for credential access and defense evasion. New rules for Linux include detection for persistence. New rules for AWS include detection for exfiltration, persistence and impact. New rules for Azure include detection for credential access. Additionally, significant rule tuning for Windows, Linux, AWS, Google Workplace and Microsoft 365 integration rules has been added for better rule efficacy and performance.

8.12.16

28 Jun 2024

12

15

This release includes new rules and tuned for Windows, Linux and AWS integration. New rules for Windows include detection for persistence and execution. New rules for Linux include detection for persistence and privilege escalation. New rules for AWS include detection for defense evasion. Additionally, significant rule tuning for Windows, Linux and AWS rules has been added for better rule efficacy and performance.

8.12.15

25 Jun 2024

6

54

This release includes new rules for Windows, Okta and AWS integration and tuned rules for Okta and AWS. New rules for Windows include detection for defense evasion, privilege escalation, and credential access. New rules for AWS include detection for persistence. New rules for Okta include detection for credential access. Additionally, significant rule tuning for Okta and AWS rules has been added for better rule efficacy and performance.

8.12.14

11 Jun 2024

19

29

This release includes new rules for Linux and AWS integration and tuned rules for Windows , Linux, AWS and Microsoft 365. New rules for Linux include detection for persistence. New rules for AWS include detection for execution, persistence, credential access, impact, exfiltration, privilege escalation and discovery. Additionally, significant rule tuning for Windows ,Linux and Microsoft 365 rules has been added for better rule efficacy and performance.

8.12.13

29 May 2024

4

123

This release includes new rules for Linux and AWS integration and tuned rules for Windows ,Linux and MacOS. New rules for Linux include detection for persistence. New rules for AWS include detection for lateral movement, defense evasion and discovery. Additionally, significant rule tuning for Windows ,Linux and MacOS rules has been added for better rule efficacy and performance.

8.12.12

15 May 2024

10

40

This release includes new rules for Windows and AWS integration and tuned rules for Windows and MacOS. New rules for Windows include detection for impact, execution, command and control and defense evasion. New rules for AWS include detection for persistence, defense evasion, exfiltration and credential access. Additionally, significant rule tuning for Windows and MacOS rules has been added for better rule efficacy and performance.

8.12.11

06 May 2024

0

0

This version bump is a result of an out of band update. No rules require an update to this version.

8.12.10

30 Apr 2024

2

2

This release includes new rules for Linux and Windows and tuned rules for Linux. New rules for Linux include detection for persistence. New rules for Windows include detection for privilege escalation. Additionally, significant rule tuning for Linux rules has been added for better rule efficacy and performance.

8.12.9

23 Apr 2024

11

110

This release includes new rules and tuned rules for Windows. New rules for Windows include detection for potential windows session hijacking via CcmExec. Additionally, significant rule tuning for Windows rules has been added for better rule efficacy and performance.

8.12.8

03 Apr 2024

8

238

This release includes new rules for Linux and Windows and tuned rules for Windows. Deprecated rules include Remote File Creation on a Sensitive Directory New rules for Linux include detection for persistence. New rules for Windows include detection for credential access, initial access, discovery and command and control. Additionally, significant rule tuning for Windows rules has been added for better rule efficacy and performance.

8.12.7

25 Mar 2024

5

549

This release includes new rules for Linux and Windows and tuned rules for Linux, Windows and macOS. New rules for Linux include detection for execution. New rules for Windows include detection for credential access. Additionally, significant rule tuning for Windows, Linux and macOS rules has been added for better rule efficacy and performance.

8.12.6

07 Mar 2024

9

7

This release includes significant rule tuning for Linux rules for better rule efficacy and performance.

8.12.5

23 Feb 2024

5

33

This release includes a new rule for Windows detection of suspicious execution from INET cache. Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy and performance.

8.12.4

08 Feb 2024

10

6

This release includes new and tuned rules for Linux and Windows. New rules for Linux include detection for discovery, persistence, privilege escalation and defense evasion. New rules for Windows include detection for Active Directory enumeration. Additionally, significant rule tuning for Windows, Linux and macOS rules has been added for better rule efficacy and performance.

8.12.3

25 Jan 2024

19

165

This release includes new rules for Windows, Linux, Containers and GitHub. New rules for Windows include detection for evasion via Windows Filtering Platform. Linux rules for endpoints include detection for kernel driver loading and buffer overflow exploitation. Container rules for Linux include detection for container breakout via modified release agent files. Several new GitHub rules have been added for detection of suspicious activity related to IP addresses, tokens and repositories. Additionally, significant rule tuning for Windows, Linux and macOS rules has been added for better rule efficacy and performance.

8.12.2

03 Jan 2024

1

64

This release includes a new Linux rule for detecting reverse TCP shells through child processes. Deprecated rules include Malicious Remote File Creation and Potential Process Herpaderping Attempt. Several Windows rules with EQL queries have been tuned for better rule efficacy and performance. An Okta rule for MFA deactivation has been tuned to reduce false positives. Rule content has been updated for several Windows, Linux and Okta rules to improve clarity and accuracy.

8.12.1

14 Dec 2023

7

35

This release includes new Windows, Linux and Okta rules. New rules for Windows include detection for processes created with duplicated tokens and interactive logons. Linux rules include detection for Out-of-Tree kernel module loading, persistence through Systemd-udevd and Kworker UID elevation. New rules for Okta include detection for stolen credentials being used to reset MFA and suspicious authentication events. Additionally, significant rule tuning for Windows, Linux and Okta rules has been added for better rule efficacy.