Skip to content

Monthly Manifest and Schema Refresh + investigation guides#6387

Merged
shashank-elastic merged 3 commits into
mainfrom
monthly_schema_update_july
Jul 6, 2026
Merged

Monthly Manifest and Schema Refresh + investigation guides#6387
shashank-elastic merged 3 commits into
mainfrom
monthly_schema_update_july

Conversation

@shashank-elastic

Copy link
Copy Markdown
Contributor

Pull Request

Issue link(s): https://github.com/elastic/ia-trade-team/issues/967

Summary - What I changed

  • Refresh ECS and Beats Scheama
  • Refresh Integrations Manifest and Schema
  • Add missing investigation guides

How To Test

  • Unit Test to pass

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

  • Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
  • Include additional context or screenshots.
  • Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Ensure that the code is modular and reusable where applicable.

Testing

  • New unit tests have been added to cover the enhancement.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
  • Validate that any rules affected by the enhancement are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.
  • Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

  • Verify that the enhancement works across all relevant environments (e.g., different OS versions).
  • Confirm that the proper version label is applied to the PR patch, minor, major.

1 similar comment
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

  • Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
  • Include additional context or screenshots.
  • Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Ensure that the code is modular and reusable where applicable.

Testing

  • New unit tests have been added to cover the enhancement.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
  • Validate that any rules affected by the enhancement are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.
  • Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

  • Verify that the enhancement works across all relevant environments (e.g., different OS versions).
  • Confirm that the proper version label is applied to the PR patch, minor, major.

@tradebot-elastic

tradebot-elastic commented Jul 6, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Network Connection Followed by File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Container Escape via Kernel core_pattern Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Command Execution via Busybox Proxy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux External IP Address Discovery via Curl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Proxy Execution via Systemd-run (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shared Object Load via LoLBin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refreshes stack schema mappings and increments the Python package version while adding investigation guides to several Linux detection rules to improve triage usability.

Changes:

  • Added investigation-guide content (note) to multiple Linux rules and tagged them with Resources: Investigation Guide.
  • Updated updated_date on the touched rules to reflect the modification date.
  • Bumped detection_rules package version and refreshed stack-to-schema version mappings (Beats/ECS).

Reviewed changes

Copilot reviewed 8 out of 72 changed files in this pull request and generated no comments.

Show a summary per file
File Description
rules/linux/privilege_escalation_container_escape_via_kernel_core_pattern.toml Adds an investigation guide and updates metadata/tags for the core_pattern container escape rule.
rules/linux/execution_busybox_unusual_execution.toml Adds an investigation guide and updates metadata/tags for the Busybox proxy execution rule.
rules/linux/discovery_curl_external_ip_discovery.toml Adds an investigation guide and updates metadata/tags for the curl external IP discovery rule.
rules/linux/defense_evasion_proxy_execution_via_systemd_run.toml Adds an investigation guide and updates metadata/tags for the systemd-run proxy execution rule.
rules/linux/defense_evasion_lolbin_so_load.toml Adds an investigation guide and updates metadata/tags for the shared-object load via LoLBin rule.
rules/linux/command_and_control_netcon_file_creation.toml Adds an investigation guide and updates metadata/tags for the netconn-then-file-create sequence rule.
pyproject.toml Increments the detection_rules project version to 1.7.8.
detection_rules/etc/stack-schema-map.yaml Updates the mapped Beats/ECS schema versions for stack 9.4.0 and 9.5.0.

@tradebot-elastic

tradebot-elastic commented Jul 6, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Network Connection Followed by File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Container Escape via Kernel core_pattern Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Command Execution via Busybox Proxy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux External IP Address Discovery via Curl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Proxy Execution via Systemd-run (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shared Object Load via LoLBin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic

tradebot-elastic commented Jul 6, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Network Connection Followed by File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Container Escape via Kernel core_pattern Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Command Execution via Busybox Proxy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux External IP Address Discovery via Curl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Proxy Execution via Systemd-run (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shared Object Load via LoLBin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@shashank-elastic shashank-elastic merged commit 53d753c into main Jul 6, 2026
17 of 21 checks passed
@shashank-elastic shashank-elastic deleted the monthly_schema_update_july branch July 6, 2026 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants