elastic · eric-forte-elastic · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.6.14"
+version = "1.6.15"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "zeek"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -18,8 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
-language = "kuery"
+language = "esql"
 license = "Elastic License v2"
 name = "SMTP on Port 26/TCP"
 references = [
@@ -31,10 +30,24 @@ rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
 severity = "low"
 tags = ["Tactic: Command and Control", "Tactic: Exfiltration", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "esql"
 
 query = '''
-(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26
+from logs-network_traffic.*, logs-panw.panos*, logs-zeek.* metadata _id, _index, _version
+| where
+    network.transport == "tcp" and
+    destination.port == 26 and
+    (event.dataset in ("network_traffic.flow", "zeek.smtp") or event.category in ("network", "network_traffic"))
+| keep
+    source.ip,
+    destination.ip,
+    network.transport,
+    destination.port,
+    event.dataset,
+    event.category,
+    _id,
+    _version,
+    _index
 '''
 note = """## Triage and analysis
 

diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -23,8 +23,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
-language = "kuery"
+language = "esql"
 license = "Elastic License v2"
 name = "RDP (Remote Desktop Protocol) from the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
@@ -35,44 +34,39 @@ tags = ["Tactic: Command and Control", "Tactic: Lateral Movement", "Tactic: Init
 timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
 timeline_title = "Comprehensive Network Timeline"
 timestamp_override = "event.ingested"
-type = "query"
+type = "esql"
 
 query = '''
-(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
-  network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and
-  not source.ip:(
-    10.0.0.0/8 or
-    127.0.0.0/8 or
-    169.254.0.0/16 or
-    172.16.0.0/12 or
-    192.0.0.0/24 or
-    192.0.0.0/29 or
-    192.0.0.8/32 or
-    192.0.0.9/32 or
-    192.0.0.10/32 or
-    192.0.0.170/32 or
-    192.0.0.171/32 or
-    192.0.2.0/24 or
-    192.31.196.0/24 or
-    192.52.193.0/24 or
-    192.168.0.0/16 or
-    192.88.99.0/24 or
-    224.0.0.0/4 or
-    100.64.0.0/10 or
-    192.175.48.0/24 or
-    198.18.0.0/15 or
-    198.51.100.0/24 or
-    203.0.113.0/24 or
-    240.0.0.0/4 or
-    "::1" or
-    "FE80::/10" or
-    "FF00::/8"
-  ) and
-  destination.ip:(
-    10.0.0.0/8 or
-    172.16.0.0/12 or
-    192.168.0.0/16
-  )
+from logs-network_traffic.*, logs-panw.panos*, logs-endpoint.events.network-* metadata _id, _index, _version
+| where
+    network.transport == "tcp" and
+    (destination.port == 3389 or event.dataset == "zeek.rdp") and
+    (event.dataset == "network_traffic.flow" or event.category in ("network", "network_traffic")) and
+    source.ip is not null and
+    destination.ip is not null and
+    not cidr_match(source.ip,
+      "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12",
+      "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32",
+      "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+      "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24",
+      "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15",
+      "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4",
+      "::1", "FE80::/10", "FF00::/8"
+    ) and
+    cidr_match(destination.ip,
+      "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"
+    )
+| keep
+  source.ip,
+  destination.ip,
+  network.transport,
+  destination.port,
+  event.dataset,
+  event.category,
+  _id,
+  _version,
+  _index
+
 '''
 note = """## Triage and analysis
 

diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "zeek"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,15 +13,21 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
 backdoor vector.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-zeek.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RPC (Remote Procedure Call) from the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 73
 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
 severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
+tags = ["Tactic: Initial Access",
+        "Domain: Endpoint",
+        "Use Case: Threat Detection",
+        "Data Source: PAN-OS",
+        "Data Source: Zeek",
+        "Resources: Investigation Guide"
+]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "endpoint", "zeek"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,8 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
 backdoor vector.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
-language = "kuery"
+language = "esql"
 license = "Elastic License v2"
 name = "RPC (Remote Procedure Call) to the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
@@ -23,44 +22,38 @@ rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
 severity = "high"
 tags = ["Tactic: Initial Access", "Tactic: Lateral Movement", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "esql"
 
 query = '''
-(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
-  network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and
-  source.ip:(
-    10.0.0.0/8 or
-    172.16.0.0/12 or
-    192.168.0.0/16
-  ) and
-  not destination.ip:(
-    10.0.0.0/8 or
-    127.0.0.0/8 or
-    169.254.0.0/16 or
-    172.16.0.0/12 or
-    192.0.0.0/24 or
-    192.0.0.0/29 or
-    192.0.0.8/32 or
-    192.0.0.9/32 or
-    192.0.0.10/32 or
-    192.0.0.170/32 or
-    192.0.0.171/32 or
-    192.0.2.0/24 or
-    192.31.196.0/24 or
-    192.52.193.0/24 or
-    192.168.0.0/16 or
-    192.88.99.0/24 or
-    224.0.0.0/4 or
-    100.64.0.0/10 or
-    192.175.48.0/24 or
-    198.18.0.0/15 or
-    198.51.100.0/24 or
-    203.0.113.0/24 or
-    240.0.0.0/4 or
-    "::1" or
-    "FE80::/10" or
-    "FF00::/8"
-  )
+from logs-network_traffic.*, logs-panw.panos*, logs-endpoint.events.network-* metadata _id, _index, _version
+| where
+    network.transport == "tcp" and
+    (destination.port == 135 or event.dataset == "zeek.dce_rpc") and
+    (event.dataset == "network_traffic.flow" or event.category in ("network", "network_traffic")) and
+    source.ip is not null and
+    destination.ip is not null and
+    cidr_match(source.ip,
+      "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"
+    ) and
+    not cidr_match(destination.ip,
+      "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12",
+      "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32",
+      "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+      "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24",
+      "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15",
+      "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4",
+      "::1", "FE80::/10", "FF00::/8"
+    )
+| keep
+  source.ip,
+  destination.ip,
+  network.transport,
+  destination.port,
+  event.dataset,
+  event.category,
+  _id,
+  _version,
+  _index
 '''
 note = """## Triage and analysis
 

diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "zeek"]
 maturity = "production"
-updated_date = "2026/04/01"
+updated_date = "2026/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,54 +13,49 @@ systems. It should almost never be directly exposed to the Internet, as it is fr
 threat actors as an initial access or backdoor vector or for data exfiltration.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-zeek.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "SMB (Windows File Sharing) Activity to the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 47
 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
 severity = "medium"
-tags = ["Tactic: Initial Access", "Tactic: Exfiltration", "Domain: Network", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
+tags = ["Tactic: Initial Access", "Tactic: Exfiltration", "Domain: Network", "Use Case: Threat Detection", "Data Source: PAN-OS", "Data Source: Zeek", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
-  network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and
-  source.ip:(
-    10.0.0.0/8 or
-    172.16.0.0/12 or
-    192.168.0.0/16
-  ) and
-  not destination.ip:(
-    10.0.0.0/8 or
-    127.0.0.0/8 or
-    169.254.0.0/16 or
-    172.16.0.0/12 or
-    192.0.0.0/24 or
-    192.0.0.0/29 or
-    192.0.0.8/32 or
-    192.0.0.9/32 or
-    192.0.0.10/32 or
-    192.0.0.170/32 or
-    192.0.0.171/32 or
-    192.0.2.0/24 or
-    192.31.196.0/24 or
-    192.52.193.0/24 or
-    192.168.0.0/16 or
-    192.88.99.0/24 or
-    224.0.0.0/4 or
-    100.64.0.0/10 or
-    192.175.48.0/24 or
-    198.18.0.0/15 or
-    198.51.100.0/24 or
-    203.0.113.0/24 or
-    240.0.0.0/4 or
-    "::1" or
-    "FE80::/10" or
-    "FF00::/8"
-  )
+(event.dataset:network_traffic.flow or event.category:(network or network_traffic))
+  and network.transport:tcp and (destination.port:(139 or 445)
+  or event.dataset:(zeek.smb_cmd or zeek.smb_files or zeek.smb_mapping))
+  and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
+  and not destination.ip:(10.0.0.0/8
+    or 100.64.0.0/10
+    or 127.0.0.0/8
+    or 169.254.0.0/16
+    or 172.16.0.0/12
+    or 192.0.0.0/24
+    or 192.0.0.0/29
+    or 192.0.0.10/32
+    or 192.0.0.170/32
+    or 192.0.0.171/32
+    or 192.0.0.8/32
+    or 192.0.0.9/32
+    or 192.0.2.0/24
+    or 192.168.0.0/16
+    or 192.175.48.0/24
+    or 192.31.196.0/24
+    or 192.52.193.0/24
+    or 192.88.99.0/24
+    or 198.18.0.0/15
+    or 198.51.100.0/24
+    or 203.0.113.0/24
+    or 224.0.0.0/4
+    or 240.0.0.0/4
+    or "::1"
+    or "FE80::/10"
+    or "FF00::/8")
 '''
 note = """## Triage and analysis