Open
Conversation
Contributor
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
- Added timestamp_override = 'event.ingested' to 15 non-sequence EQL rules - Added '## Triage and analysis' investigation guides to 19 high-severity rules - Fixed T1176 technique name from 'Browser Extensions' to 'Software Extensions'
|
⛔️ Test failed Results
|
Enhanced investigation guides to align with existing SIEM rule format: - Added detailed context paragraphs explaining the threat and detection logic - Expanded investigation steps to 6-7 items with specific field references - Enhanced false positive analysis with 4-5 items and exclusion guidance - Added comprehensive response and remediation steps (6-7 items) Rules enhanced: - Defense Evasion: dylib_injection, gatekeeper_override, tcc_access - Persistence: shell_profile, hidden_plist, chromium_extension, startup_item, pkg_install_script, launch_agent_daemon - Execution: unusual_library_python - Lateral Movement: jamf_endpoint - Command and Control: google_calendar_c2, oast_domain, etherhiding, curl_from_app, curl_google_script, unsigned_binary - Collection: pbpaste, sensitive_file_compression
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
Mikaayenson
reviewed
Feb 4, 2026
Contributor
There was a problem hiding this comment.
I'm inclined to agree with the comments. @DefSecSentinel Maybe we can collapse these rules?
For example:
Script Interpreter C2 Connections
- command_and_control_perl_outbound_network_connection.toml
- command_and_control_suspicious_outbound_python_network.toml
- command_and_control_script_interpreter_connection_to_non_standard_port.toml
- Several others with same pattern
C2 LOLBin to Suspicious Web Service
- command_and_control_suspicious_curl_to_google_app_script.toml
- command_and_control_aws_s3_connection_via_script.toml
- command_and_control_google_calendar_c2_via_script.toml
- Others targeting curl/wget to specific services
etc.
We can probably optimize a lot here by consolidating. The rules engine calculates the number of rules that can be enabled just by interval and rule execution so we need to be consider how this impacts users that want to enable as many rules as possible.
Fundamentally we try to prevent rule fragmentation. There's some other things we probably should do here like covert from eql to esql, or 3rd party edr support, but that will be much easier to see/test after you optimize this set while we have the opportunity to do so.
Id say move this back to Draft (in GitHub) / In Progress (on the project board) until you can clean up a bit more.
|
⛔️ Test failed Results
|
Aegrah
approved these changes
Feb 4, 2026
Contributor
Aegrah
left a comment
Aegrah
left a comment
There was a problem hiding this comment.
LGTM, overall wondering whether we could consolidate some rules into one (esp. because this is DR now, no longer ER), and there a few inconsistencies that need to be fixed (esp. the ones regarding the ESQL rules), but I'll approve as I expect @DefSecSentinel to fix those before merging.
rules/macos/command_and_control_aws_s3_connection_via_script.toml
Outdated
Show resolved
Hide resolved
rules/macos/command_and_control_network_connection_to_oast_domain.toml
Outdated
Show resolved
Hide resolved
rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml
Outdated
Show resolved
Hide resolved
|
⛔️ Test failed Results
|
- Add Esql. prefix to computed fields in ESQL rules - Add KEEP statements to ESQL rules for proper field visibility - Add perl* wildcard to OAST domain rule for version consistency - Add ruby* wildcard to Etherhiding C2 rule for version consistency - Fix regex pattern in TCC rule (perl.*/ruby.* for versioning)
|
⛔️ Test failed Results
|
Delete command_and_control_suspicious_outbound_python_network.toml which is an exact duplicate of command_and_control_script_interpreter_connection_to_non_standard_port.toml (same rule_id: aa1e007a-2997-4247-b048-dd9344742560)
|
⛔️ Test failed Results
|
- collection_pbpaste_execution_via_unusual_parent.toml - defense_evasion_gatekeeper_override_and_execution.toml EQL/KQL rules require timestamp_override: event.ingested
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
Perl is covered by the broader perl_outbound_network_connection rule which catches perl → any external IP (not just non-standard ports). Perl network connections on macOS are rare and inherently suspicious regardless of port.
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s):
#4456
Summary
This PR introduces 35 new macOS detection rules migrated from endpoint to enable late-stage kill chain detection through SIEM alerting.
Strategic Rationale
This migration follows the Kill Chain & Confidence Model for macOS detection strategy:
Endpoint Rules (BLOCK): Focus on early kill chain stages (Initial Access, Execution, Defense Evasion) where immediate blocking prevents compromise
SIEM Rules (ALERT): Focus on late kill chain stages (Persistence, Discovery, Collection, C2, Lateral Movement) where alerting enables investigation of potentially compromised systems
Rules selected for SIEM migration represent behaviors that:
Occur after initial compromise and require investigation rather than blocking
Have higher false positive potential in endpoint blocking context
Provide threat hunting value through correlation with other signals
Detect post-exploitation activity where blocking would not prevent the initial compromise