Downloadable rule updatesedit
This section lists all updates to prebuilt detection rules, made available with the Prebuilt Security Detection Rules integration in Fleet.
To update your installed rules to the latest versions, follow the instructions in Update Elastic prebuilt rules.
For previous rule updates, please navigate to the last version.
Update version | Date | New rules | Updated rules | Notes |
---|---|---|---|---|
23 Apr 2024 |
11 |
110 |
This release includes new rules and tuned rules for Windows. New rules for Windows include detection for potential windows session hijacking via CcmExec. Additionally, significant rule tuning for Windows rules has been added for better rule efficacy and performance. |
|
03 Apr 2024 |
8 |
238 |
This release includes new rules for Linux and Windows and tuned rules for Windows.
Deprecated rules include |
|
25 Mar 2024 |
5 |
549 |
This release includes new rules for Linux and Windows and tuned rules for Linux, Windows and macOS. New rules for Linux include detection for execution. New rules for Windows include detection for credential access. Additionally, significant rule tuning for Windows, Linux and macOS rules has been added for better rule efficacy and performance. |
|
07 Mar 2024 |
9 |
7 |
This release includes significant rule tuning for Linux rules for better rule efficacy and performance. |
|
23 Feb 2024 |
5 |
33 |
This release includes a new rule for Windows detection of suspicious execution from INET cache. Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy and performance. |
|
08 Feb 2024 |
10 |
6 |
This release includes new and tuned rules for Linux and Windows. New rules for Linux include detection for discovery, persistence, privilege escalation and defense evasion. New rules for Windows include detection for Active Directory enumeration. Additionally, significant rule tuning for Windows, Linux and macOS rules has been added for better rule efficacy and performance. |
|
25 Jan 2024 |
19 |
165 |
This release includes new rules for Windows, Linux, Containers and GitHub. New rules for Windows include detection for evasion via Windows Filtering Platform. Linux rules for endpoints include detection for kernel driver loading and buffer overflow exploitation. Container rules for Linux include detection for container breakout via modified release agent files. Several new GitHub rules have been added for detection of suspicious activity related to IP addresses, tokens and repositories. Additionally, significant rule tuning for Windows, Linux and macOS rules has been added for better rule efficacy and performance. |
|
03 Jan 2024 |
1 |
64 |
This release includes a new Linux rule for detecting reverse TCP shells through child processes.
Deprecated rules include |
|
14 Dec 2023 |
7 |
35 |
This release includes new Windows, Linux and Okta rules. New rules for Windows include detection for processes created with duplicated tokens and interactive logons. Linux rules include detection for Out-of-Tree kernel module loading, persistence through Systemd-udevd and Kworker UID elevation. New rules for Okta include detection for stolen credentials being used to reset MFA and suspicious authentication events. Additionally, significant rule tuning for Windows, Linux and Okta rules has been added for better rule efficacy. |