Skip to content

[Rule Tuning] Migrate Phase 1 vendor fields to ECS and trim non-ecs schema#6328

Draft
Mikaayenson wants to merge 3 commits into
mainfrom
refactor/non-ecs-schema-cleanup
Draft

[Rule Tuning] Migrate Phase 1 vendor fields to ECS and trim non-ecs schema#6328
Mikaayenson wants to merge 3 commits into
mainfrom
refactor/non-ecs-schema-cleanup

Conversation

@Mikaayenson

@Mikaayenson Mikaayenson commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Issue link(s):

Resolves #1776

Summary - What I changed

Removed ECS duplicate fields from non-ecs-schema.json to catch future duplicates.

Updated rules in rules/ and rules_building_block/ to use ECS field names where integrations already dual-write the data (Azure, Okta, Kubernetes, winlog, Fortinet, GitHub, and related sources).

Did not migrate aws.cloudtrail.user_identity.arn to user.entity.id because stack validation failed on filebeat-*.

How To Test

python -m pytest tests/test_all_rules.py::TestNonEcsSchema \
  tests/test_all_rules.py::TestRuleMetadata::test_rule_change_has_updated_date \
  tests/test_all_rules.py::TestRuleMetadata::test_deprecated_rules_modified

Checklist

  • Added a label for the type of pr: schema, Rule: Tuning
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

…chema

Remove ECS duplicate entries from non-ecs-schema.json, add a guard test,
and update rule queries to use ECS fields where integrations dual-write.

Resolves #1776
@Mikaayenson Mikaayenson added Rule: Tuning tweaking or tuning an existing rule schema labels Jun 23, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a new schema feature to the code.

Documentation and Context

  • Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
  • Include additional context or screenshots.
  • Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Ensure that the code is modular and reusable where applicable.

Testing

  • New unit tests have been added to cover the enhancement.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
  • Validate that any rules affected by the enhancement are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.
  • Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Schema Related Checks

  • Verify that the enhancement works across all relevant environments (e.g., different OS versions).
  • Link to the relevant Kibana PR or issue provided
  • Test export/import flow:
    • Exported detection rule(s) from Kibana to showcase the feature(s)
    • Converted the exported ndjson file(s) to toml in the detection-rules repo
    • Re-exported the toml rule(s) to ndjson and re-imported into Kibana
  • Updated necessary unit tests to accommodate the feature
  • Incorporated a comprehensive test rule in unit tests for full schema coverage
  • Applied min_compat restrictions to limit the feature to a specified minimum stack version
  • Executed all unit tests locally with a test toml rule to confirm passing
  • Included Kibana PR implementer as an optional reviewer for insights on the feature
  • Implemented requisite downgrade functionality
  • Cross-referenced the feature with product documentation for consistency
  • Confirm that the proper version label is applied to the PR patch, minor, major.

1 similar comment
@github-actions

Copy link
Copy Markdown
Contributor

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a new schema feature to the code.

Documentation and Context

  • Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
  • Include additional context or screenshots.
  • Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Ensure that the code is modular and reusable where applicable.

Testing

  • New unit tests have been added to cover the enhancement.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
  • Validate that any rules affected by the enhancement are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.
  • Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Schema Related Checks

  • Verify that the enhancement works across all relevant environments (e.g., different OS versions).
  • Link to the relevant Kibana PR or issue provided
  • Test export/import flow:
    • Exported detection rule(s) from Kibana to showcase the feature(s)
    • Converted the exported ndjson file(s) to toml in the detection-rules repo
    • Re-exported the toml rule(s) to ndjson and re-imported into Kibana
  • Updated necessary unit tests to accommodate the feature
  • Incorporated a comprehensive test rule in unit tests for full schema coverage
  • Applied min_compat restrictions to limit the feature to a specified minimum stack version
  • Executed all unit tests locally with a test toml rule to confirm passing
  • Included Kibana PR implementer as an optional reviewer for insights on the feature
  • Implemented requisite downgrade functionality
  • Cross-referenced the feature with product documentation for consistency
  • Confirm that the proper version label is applied to the PR patch, minor, major.

@tradebot-elastic

tradebot-elastic commented Jun 23, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Attempt to Modify an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Arc Cluster Credential Access by Identity from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Protected Branch Settings Changed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Closed Pull Requests by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Front Door WAF Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Illicit Consent Grant by Rare Client and User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox High-Risk Permission Delegated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Client Certificate Signing Request Created or Approved (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Creation or Modification of Sensitive Role (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Self-Subject Review via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostNetwork (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Guest User Invited (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes User Exec into Pod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Successful Application SSO from Rare Unknown Client Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare AWS Error Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Exfiltration via High Number of Repository Clones by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Application Credential Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Inbox Rule with Obfuscated Name (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Illicit Consent Grant via Registered Application (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Sign-In Events via Third-Party IdP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Domain Federation Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Key Regenerated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a DNS-Named Record (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Memory Dump Handle Access (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ New GitHub Personal Access Token (PAT) Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret or ConfigMap Access via Azure Arc Proxy (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NTLM Relay Attack against a Computer Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Device Token Rotation) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell HackTool Script by Author (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Container Access Level Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk User Sign-in Heuristic (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Password Reset Remotely (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Privileged Local Groups Membership (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New Okta Identity Provider (IdP) Added by Admin (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created with a Sensitive hostPath Volume (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delegated Managed Service Account Modification by an Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos Relay Attack against a Computer Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Excessive Account Lockouts Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Unusual SSO Authentication Errors for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Sessions Started from Different Geolocations (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Guest Account Promoted to Member (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Network Watcher Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Atypical Region (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes API Server Proxying Request to Kubelet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Events Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in Brute Force Attempted (Microsoft 365) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempted Bypass of Okta MFA (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Impossible Travel Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Service Principal Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous User Create/Update/Patch Pods Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Full Network Packet Capture Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive RBAC Change Followed by Workload Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Bedrock Unauthorized Foundation Model Access Attempt (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA TOTP Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Self Hosted Action Runner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth PRT Issuance to Non-Managed Device Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Creation via Secondary Logon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Vault Web Credentials Read (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Cloud Secrets Accessed by Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Remote Registry Access via SeBackupPrivilege (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Accessed by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Logon Failure from the same Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Federated Identity Credential Issuer Modified (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Kali365 Default User-Agent Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - User Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Forbidden Request from Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Service Account Token Created via TokenRequest API (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Logon Failure Followed by Logon Success (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Admission Webhook Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Successful Login After Credential Attack (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ EKS Authentication Configuration Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Service Installed via an Unusual Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Stolen Credentials Used to Login to Okta Account After MFA Reset (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Account Performing DCSync (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Forbidden Direct Interactive Kubernetes API Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Enumeration or Brute Force (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute VM Command Executed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Interactive Logon by an Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AdminSDHolder SDProp Exclusion Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta Sessions Detected for a Single User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Configured with Never-Expiring Password (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via Suspicious Launch Agent or Launch Daemon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Assignment of Controller Service Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Denied Service Account Request via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous Request Authorized by Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Exposed Service Created With Type NodePort (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of the msPKIAccountCredentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Revoke Okta API Token (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Access to LDAP Attributes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Computer Account DnsHostName Update (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AdminSDHolder Backdoor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Group Modification by SYSTEM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Occurrence of Okta User Session Started via Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious SeIncreaseBasePriorityPrivilege Use (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Container Created with Excessive Linux Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Non-Managed Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostIPC (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Access to a Sensitive LDAP Attribute (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Registered Application Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in AWS Error Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Shadow Credentials added to AD Object (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious LSASS Access via MalSecLogon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Custom Domain Added or Verified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Device Code Grant by an Unusual User (Non-Compliant Device) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secrets List Across Cluster or Sensitive Namespaces (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Items Accessed Excessively (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Temporarily Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Pods Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Overly Permissive Firewall Policy Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Unusual Decision by User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Keys Accessed by Privileged User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Several Failed Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Private Repository Turned Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Elevated Access to User Access Administrator (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Actor Token User Impersonation Abuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Application Redirect URI Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential ADIDNS Poisoning via Wildcard Record Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Unusual Cloud Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Evasion via Windows Filtering Platform (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Credential Stuffing (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth user_impersonation Scope for Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Authentication Events with Same Device Token Hash (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRoot by Rare User and Member Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SeDebugPrivilege Enabled by a Suspicious Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Serial Console Connection with Unusual User and ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Successful Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Authentication Type (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta AiTM Session Cookie Replay (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via DCSync (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Scheduled Task Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential LSASS Clone Creation via PssCaptureSnapShot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletion by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Admin Confirmed Compromise (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Cluster-Admin Role Binding Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Potential Endpoint Permission Enumeration Attempt Detected (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret get or list with Suspicious User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID PowerShell Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes CoreDNS or Kube-DNS Configuration Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection User Alert and Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes API Request Impersonating Privileged Identity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Invoke-Mimikatz PowerShell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Managed Run Command Created or Updated with Unusual Principal (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Rapid Secret GET Activity Against Multiple Objects (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Event Hub Authorization Rule Created or Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Configuration File Downloaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Group Policy Abuse for Privilege Addition (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Chaining (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Resource Group Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Alerts for User Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privileged Escalation via SamAccountName Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collection Deleted by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Multi-Resource Discovery (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletion by Unusual User and Resource Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Ephemeral Container Added to Pod (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kerberos Authentication Ticket Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Privileged Pod Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes RBAC Wildcard Elevation on Existing Role (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Exec with Curl or Wget to HTTPS (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Reported Suspicious Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Super Admin Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Device Token Hashes for Single Okta Session (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Deactivation with no Re-Activation for Okta User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Session Impersonation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Temporary Access Pass Created for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Administrator Account Creation from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID ADRS Token Request by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Windows Service Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Register Device with Unusual User Agent (Azure AD Join) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Extension CRUD Operation with Unusual Source ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of WDigest Security Provider (eql)
  • ❌ Azure Blob Storage Permissions Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Machine Account Relay Attack via SMB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collections Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Service Principal Sign-In Followed by Arc Cluster Credential Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA Disabled for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Device Registration with ROADtools Default OS Build (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Account Lockouts (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Account Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostPID (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KRBTGT Delegation Backdoor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempts to Brute Force an Okta User Account (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Azure Event Hub Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Management Console Root Login (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SSO Login Followed by Administrator Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen NewCredentials Logon Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Creation via Local Kerberos Authentication (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Phishing via AiTM (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Boot Diagnostics Retrieved (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Extension Deployment by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Actions Workflow Modification Blocked (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Policy Added to Share with External Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Okta User Password Reset or Unlock Attempts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Webhook Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Principal Enumeration via UpdateAssumeRolePolicy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Kerberos Ticket Request (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Mimikatz Memssp Log File Detected (eql)
  • ❌ Kubernetes Forbidden Creation Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Device Code Grant with Unusual User and ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (PIM User) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta FastPass Phishing Detection (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Okta User Assigned Administrator Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ dMSA Account Creation by an Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Exec Potential Reverse Shell (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Service Account Modified RBAC Objects (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in TeamFiltration User-Agent Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos Coercion via DNS-Based SPN Spoofing (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Credentials Created by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret get or list from Node or Pod Service Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted DLL Loaded by Azure AD Connect Authentication Agent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privileged Accounts Brute Force (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Creation of a RoleBinding Referencing a ServiceAccount (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub App Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Mikaayenson

Copy link
Copy Markdown
Contributor Author

Note: TestEQLEventFieldUsage::test_process_fields_present_in_endpoint_schema also fails on main (rule 62ba8542, process.Ext.effective_parent.executable in a file where clause). Not introduced by this PR.

Scope is rules/ and rules_building_block/ only.
@tradebot-elastic

tradebot-elastic commented Jun 23, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Attempt to Modify an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Arc Cluster Credential Access by Identity from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Protected Branch Settings Changed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Closed Pull Requests by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Front Door WAF Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Illicit Consent Grant by Rare Client and User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox High-Risk Permission Delegated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Client Certificate Signing Request Created or Approved (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Creation or Modification of Sensitive Role (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Self-Subject Review via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostNetwork (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Guest User Invited (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes User Exec into Pod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Successful Application SSO from Rare Unknown Client Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare AWS Error Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Exfiltration via High Number of Repository Clones by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Application Credential Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Inbox Rule with Obfuscated Name (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Illicit Consent Grant via Registered Application (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Sign-In Events via Third-Party IdP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Domain Federation Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Key Regenerated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a DNS-Named Record (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Memory Dump Handle Access (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ New GitHub Personal Access Token (PAT) Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret or ConfigMap Access via Azure Arc Proxy (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NTLM Relay Attack against a Computer Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Device Token Rotation) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell HackTool Script by Author (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Container Access Level Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk User Sign-in Heuristic (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Password Reset Remotely (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Privileged Local Groups Membership (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New Okta Identity Provider (IdP) Added by Admin (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created with a Sensitive hostPath Volume (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delegated Managed Service Account Modification by an Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos Relay Attack against a Computer Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Excessive Account Lockouts Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Unusual SSO Authentication Errors for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Sessions Started from Different Geolocations (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Guest Account Promoted to Member (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Network Watcher Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Atypical Region (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes API Server Proxying Request to Kubelet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Events Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in Brute Force Attempted (Microsoft 365) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempted Bypass of Okta MFA (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Impossible Travel Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Service Principal Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous User Create/Update/Patch Pods Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Full Network Packet Capture Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive RBAC Change Followed by Workload Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Bedrock Unauthorized Foundation Model Access Attempt (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA TOTP Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Self Hosted Action Runner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth PRT Issuance to Non-Managed Device Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Creation via Secondary Logon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Vault Web Credentials Read (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Cloud Secrets Accessed by Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Remote Registry Access via SeBackupPrivilege (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Accessed by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Logon Failure from the same Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Federated Identity Credential Issuer Modified (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Kali365 Default User-Agent Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - User Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Forbidden Request from Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Service Account Token Created via TokenRequest API (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Logon Failure Followed by Logon Success (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Admission Webhook Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Successful Login After Credential Attack (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ EKS Authentication Configuration Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Service Installed via an Unusual Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Stolen Credentials Used to Login to Okta Account After MFA Reset (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Account Performing DCSync (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Forbidden Direct Interactive Kubernetes API Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Enumeration or Brute Force (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute VM Command Executed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Interactive Logon by an Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AdminSDHolder SDProp Exclusion Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta Sessions Detected for a Single User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Configured with Never-Expiring Password (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via Suspicious Launch Agent or Launch Daemon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Assignment of Controller Service Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Denied Service Account Request via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous Request Authorized by Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Exposed Service Created With Type NodePort (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of the msPKIAccountCredentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Revoke Okta API Token (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Access to LDAP Attributes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Computer Account DnsHostName Update (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AdminSDHolder Backdoor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Group Modification by SYSTEM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Occurrence of Okta User Session Started via Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious SeIncreaseBasePriorityPrivilege Use (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Container Created with Excessive Linux Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Non-Managed Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostIPC (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Access to a Sensitive LDAP Attribute (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Registered Application Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in AWS Error Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Shadow Credentials added to AD Object (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious LSASS Access via MalSecLogon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Custom Domain Added or Verified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Device Code Grant by an Unusual User (Non-Compliant Device) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secrets List Across Cluster or Sensitive Namespaces (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Items Accessed Excessively (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Temporarily Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Pods Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Overly Permissive Firewall Policy Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Unusual Decision by User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Keys Accessed by Privileged User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Several Failed Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Private Repository Turned Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Elevated Access to User Access Administrator (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Actor Token User Impersonation Abuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Application Redirect URI Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential ADIDNS Poisoning via Wildcard Record Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Unusual Cloud Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Evasion via Windows Filtering Platform (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Credential Stuffing (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth user_impersonation Scope for Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Authentication Events with Same Device Token Hash (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRoot by Rare User and Member Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SeDebugPrivilege Enabled by a Suspicious Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Serial Console Connection with Unusual User and ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Successful Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Authentication Type (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta AiTM Session Cookie Replay (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via DCSync (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Scheduled Task Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential LSASS Clone Creation via PssCaptureSnapShot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletion by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Admin Confirmed Compromise (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Cluster-Admin Role Binding Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Potential Endpoint Permission Enumeration Attempt Detected (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret get or list with Suspicious User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID PowerShell Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes CoreDNS or Kube-DNS Configuration Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection User Alert and Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes API Request Impersonating Privileged Identity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Invoke-Mimikatz PowerShell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Managed Run Command Created or Updated with Unusual Principal (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Rapid Secret GET Activity Against Multiple Objects (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Event Hub Authorization Rule Created or Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Configuration File Downloaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Group Policy Abuse for Privilege Addition (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Chaining (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Resource Group Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Alerts for User Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privileged Escalation via SamAccountName Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collection Deleted by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Multi-Resource Discovery (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletion by Unusual User and Resource Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Ephemeral Container Added to Pod (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kerberos Authentication Ticket Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Privileged Pod Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes RBAC Wildcard Elevation on Existing Role (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Exec with Curl or Wget to HTTPS (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Reported Suspicious Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Super Admin Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Device Token Hashes for Single Okta Session (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Deactivation with no Re-Activation for Okta User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Session Impersonation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Temporary Access Pass Created for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Administrator Account Creation from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID ADRS Token Request by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Windows Service Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Register Device with Unusual User Agent (Azure AD Join) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Extension CRUD Operation with Unusual Source ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of WDigest Security Provider (eql)
  • ❌ Azure Blob Storage Permissions Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Machine Account Relay Attack via SMB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collections Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Service Principal Sign-In Followed by Arc Cluster Credential Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA Disabled for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Device Registration with ROADtools Default OS Build (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Account Lockouts (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Account Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostPID (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KRBTGT Delegation Backdoor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempts to Brute Force an Okta User Account (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Azure Event Hub Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Management Console Root Login (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SSO Login Followed by Administrator Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen NewCredentials Logon Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Creation via Local Kerberos Authentication (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Phishing via AiTM (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Boot Diagnostics Retrieved (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Extension Deployment by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Actions Workflow Modification Blocked (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Policy Added to Share with External Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Okta User Password Reset or Unlock Attempts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Webhook Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Principal Enumeration via UpdateAssumeRolePolicy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Kerberos Ticket Request (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Mimikatz Memssp Log File Detected (eql)
  • ❌ Kubernetes Forbidden Creation Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Device Code Grant with Unusual User and ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (PIM User) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta FastPass Phishing Detection (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Okta User Assigned Administrator Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ dMSA Account Creation by an Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Exec Potential Reverse Shell (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Service Account Modified RBAC Objects (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in TeamFiltration User-Agent Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos Coercion via DNS-Based SPN Spoofing (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Credentials Created by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret get or list from Node or Pod Service Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted DLL Loaded by Azure AD Connect Authentication Agent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privileged Accounts Brute Force (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Creation of a RoleBinding Referencing a ServiceAccount (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub App Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Mikaayenson Mikaayenson changed the title [Maintenance] Migrate Phase 1 vendor fields to ECS and trim non-ecs schema [Rule Tuning] Migrate Phase 1 vendor fields to ECS and trim non-ecs schema Jun 23, 2026
@Mikaayenson Mikaayenson self-assigned this Jun 23, 2026
Drop unrelated JumpCloud exclusion that referenced process.Ext fields
outside the endpoint file schema. Apply ruff format to TestNonEcsSchema.
@tradebot-elastic

tradebot-elastic commented Jun 23, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Attempt to Modify an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Arc Cluster Credential Access by Identity from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Protected Branch Settings Changed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Closed Pull Requests by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Front Door WAF Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Illicit Consent Grant by Rare Client and User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox High-Risk Permission Delegated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Client Certificate Signing Request Created or Approved (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Creation or Modification of Sensitive Role (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Self-Subject Review via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostNetwork (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Guest User Invited (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes User Exec into Pod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Successful Application SSO from Rare Unknown Client Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare AWS Error Code (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Exfiltration via High Number of Repository Clones by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Application Credential Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Inbox Rule with Obfuscated Name (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Illicit Consent Grant via Registered Application (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Sign-In Events via Third-Party IdP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Domain Federation Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Key Regenerated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a DNS-Named Record (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Memory Dump Handle Access (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ New GitHub Personal Access Token (PAT) Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret or ConfigMap Access via Azure Arc Proxy (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NTLM Relay Attack against a Computer Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Device Token Rotation) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell HackTool Script by Author (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Container Access Level Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk User Sign-in Heuristic (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Password Reset Remotely (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Privileged Local Groups Membership (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New Okta Identity Provider (IdP) Added by Admin (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created with a Sensitive hostPath Volume (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delegated Managed Service Account Modification by an Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos Relay Attack against a Computer Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Excessive Account Lockouts Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Unusual SSO Authentication Errors for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Sessions Started from Different Geolocations (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Guest Account Promoted to Member (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Network Watcher Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Atypical Region (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes API Server Proxying Request to Kubelet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Events Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in Brute Force Attempted (Microsoft 365) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempted Bypass of Okta MFA (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Impossible Travel Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Service Principal Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous User Create/Update/Patch Pods Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Full Network Packet Capture Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive RBAC Change Followed by Workload Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Bedrock Unauthorized Foundation Model Access Attempt (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA TOTP Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Self Hosted Action Runner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth PRT Issuance to Non-Managed Device Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Creation via Secondary Logon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Vault Web Credentials Read (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Cloud Secrets Accessed by Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Remote Registry Access via SeBackupPrivilege (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Accessed by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Logon Failure from the same Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Federated Identity Credential Issuer Modified (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Kali365 Default User-Agent Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - User Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Forbidden Request from Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Service Account Token Created via TokenRequest API (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Logon Failure Followed by Logon Success (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Admission Webhook Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Successful Login After Credential Attack (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ EKS Authentication Configuration Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Service Installed via an Unusual Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Stolen Credentials Used to Login to Okta Account After MFA Reset (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Account Performing DCSync (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Forbidden Direct Interactive Kubernetes API Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Enumeration or Brute Force (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute VM Command Executed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Interactive Logon by an Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AdminSDHolder SDProp Exclusion Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta Sessions Detected for a Single User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Configured with Never-Expiring Password (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Assignment of Controller Service Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Denied Service Account Request via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous Request Authorized by Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Exposed Service Created With Type NodePort (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of the msPKIAccountCredentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Revoke Okta API Token (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Access to LDAP Attributes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Computer Account DnsHostName Update (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AdminSDHolder Backdoor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Group Modification by SYSTEM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Occurrence of Okta User Session Started via Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious SeIncreaseBasePriorityPrivilege Use (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Container Created with Excessive Linux Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Non-Managed Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostIPC (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Access to a Sensitive LDAP Attribute (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Registered Application Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Spike in AWS Error Messages (-)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Shadow Credentials added to AD Object (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious LSASS Access via MalSecLogon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Custom Domain Added or Verified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Device Code Grant by an Unusual User (Non-Compliant Device) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secrets List Across Cluster or Sensitive Namespaces (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Items Accessed Excessively (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Temporarily Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Pods Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Overly Permissive Firewall Policy Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Unusual Decision by User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Keys Accessed by Privileged User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Several Failed Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Private Repository Turned Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Elevated Access to User Access Administrator (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Actor Token User Impersonation Abuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Application Redirect URI Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential ADIDNS Poisoning via Wildcard Record Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Unusual Cloud Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Evasion via Windows Filtering Platform (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Credential Stuffing (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth user_impersonation Scope for Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Authentication Events with Same Device Token Hash (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRoot by Rare User and Member Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SeDebugPrivilege Enabled by a Suspicious Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Serial Console Connection with Unusual User and ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Successful Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Authentication Type (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta AiTM Session Cookie Replay (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via DCSync (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Scheduled Task Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential LSASS Clone Creation via PssCaptureSnapShot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletion by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Admin Confirmed Compromise (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Cluster-Admin Role Binding Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Potential Endpoint Permission Enumeration Attempt Detected (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret get or list with Suspicious User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID PowerShell Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes CoreDNS or Kube-DNS Configuration Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection User Alert and Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes API Request Impersonating Privileged Identity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Invoke-Mimikatz PowerShell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Managed Run Command Created or Updated with Unusual Principal (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Rapid Secret GET Activity Against Multiple Objects (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Event Hub Authorization Rule Created or Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Configuration File Downloaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Group Policy Abuse for Privilege Addition (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Chaining (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Resource Group Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Alerts for User Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privileged Escalation via SamAccountName Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collection Deleted by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Multi-Resource Discovery (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletion by Unusual User and Resource Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Ephemeral Container Added to Pod (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kerberos Authentication Ticket Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Privileged Pod Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes RBAC Wildcard Elevation on Existing Role (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Exec with Curl or Wget to HTTPS (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Reported Suspicious Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Super Admin Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Device Token Hashes for Single Okta Session (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Deactivation with no Re-Activation for Okta User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Session Impersonation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Temporary Access Pass Created for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Administrator Account Creation from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID ADRS Token Request by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Windows Service Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Register Device with Unusual User Agent (Azure AD Join) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Extension CRUD Operation with Unusual Source ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of WDigest Security Provider (eql)
  • ❌ Azure Blob Storage Permissions Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Machine Account Relay Attack via SMB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collections Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Service Principal Sign-In Followed by Arc Cluster Credential Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA Disabled for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Device Registration with ROADtools Default OS Build (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Account Lockouts (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Account Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostPID (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KRBTGT Delegation Backdoor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempts to Brute Force an Okta User Account (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Azure Event Hub Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Management Console Root Login (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SSO Login Followed by Administrator Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen NewCredentials Logon Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Creation via Local Kerberos Authentication (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Phishing via AiTM (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Boot Diagnostics Retrieved (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VM Extension Deployment by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Actions Workflow Modification Blocked (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Policy Added to Share with External Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Okta User Password Reset or Unlock Attempts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Webhook Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Principal Enumeration via UpdateAssumeRolePolicy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell Kerberos Ticket Request (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Mimikatz Memssp Log File Detected (eql)
  • ❌ Kubernetes Forbidden Creation Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Device Code Grant with Unusual User and ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (PIM User) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta FastPass Phishing Detection (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Okta User Assigned Administrator Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ dMSA Account Creation by an Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Exec Potential Reverse Shell (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Service Account Modified RBAC Objects (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in TeamFiltration User-Agent Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kerberos Coercion via DNS-Based SPN Spoofing (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Credentials Created by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret get or list from Node or Pod Service Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted DLL Loaded by Azure AD Connect Authentication Agent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privileged Accounts Brute Force (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Creation of a RoleBinding Referencing a ServiceAccount (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub App Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

event.code == "0100044547" and
fortinet.firewall.cfgpath == "firewall.policy" and
fortinet.firewall.action in ("Add", "Edit") and
event.action in ("Add", "Edit") and

@eric-forte-elastic eric-forte-elastic Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I this this change will not work without updating integrations to support it.

image

It looks like the event pipeline consumes fortinet.firewall.action only to derive
event.outcome / event.type, not event.action:

After routing, the main pipeline sets event.action from
fortinet.firewall.event.type (only when still null). For config events that means
event.action becomes the event.type value, and Add/Edit/download are never copied:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

patch Rule: Tuning tweaking or tuning an existing rule schema

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Review use of non-ecs-schema

3 participants