[Rule Tuning] Update Mitre Mappings and tags

rules/cross-platform/command_and_control_common_llm_endpoint.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/09/01"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/02/10"
+updated_date = "2026/03/24"
 
 
 [rule]
@@ -150,16 +150,18 @@ network where host.os.type in ("macos", "windows") and dns.question.name != null
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1102"
 name = "Web Service"
 reference = "https://attack.mitre.org/techniques/T1102/"
 
-
+[[rule.threat.technique.subtechnique]]
+id = "T1102.002"
+name = "Bidirectional Communication"
+reference = "https://attack.mitre.org/techniques/T1102/002/"
 
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-
-

rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/09/18"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/12/23"
+updated_date = "2026/03/24"
 
 [rule]
 author = ["Elastic"]
@@ -123,17 +123,22 @@ process.parent.name in ("node", "bun", "node.exe", "bun.exe") and (
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
-  [rule.threat.tactic]
-  name = "Command and Control"
-  id = "TA0011"
-  reference = "https://attack.mitre.org/tactics/TA0011/"
-
-  [[rule.threat.technique]]
-  name = "Application Layer Protocol"
-  id = "T1071"
-  reference = "https://attack.mitre.org/techniques/T1071/"
-
-    [[rule.threat.technique.subtechnique]]
-    name = "Web Protocols"
-    id = "T1071.001"
-    reference = "https://attack.mitre.org/techniques/T1071/001/"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1071.001"
+name = "Web Protocols"
+reference = "https://attack.mitre.org/techniques/T1071/001/"
+
+[[rule.threat.technique]]
+id = "T1105"
+name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/06/19"
 integration = ["endpoint", "system"]
 maturity = "production"
-updated_date = "2025/02/21"
+updated_date = "2026/03/24"
 
 [rule]
 author = ["Elastic"]
@@ -89,14 +89,23 @@ Google Drive is a widely-used cloud storage service that allows users to store a
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1102"
+name = "Web Service"
+reference = "https://attack.mitre.org/techniques/T1102/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1102.003"
+name = "One-Way Communication"
+reference = "https://attack.mitre.org/techniques/T1102/003/"
+
 [[rule.threat.technique]]
 id = "T1105"
 name = "Ingress Tool Transfer"
 reference = "https://attack.mitre.org/techniques/T1105/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-

rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/11/18"
 integration = ["endpoint", "panw"]
 maturity = "production"
-updated_date = "2025/11/18"
+updated_date = "2026/03/24"
 
 [rule]
 author = ["Elastic"]
@@ -70,6 +70,11 @@ note = """## Triage and analysis
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"

rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/12/10"
 integration = ["endpoint", "suricata"]
 maturity = "production"
-updated_date = "2026/01/20"
+updated_date = "2026/03/24"
 
 [rule]
 author = ["Elastic"]
@@ -76,7 +76,30 @@ note = """## Triage and analysis
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+
+[[rule.threat.technique]]
+id = "T1571"
+name = "Non-Standard Port"
+reference = "https://attack.mitre.org/techniques/T1571/"
+
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1046"
+name = "Network Service Discovery"
+reference = "https://attack.mitre.org/techniques/T1046/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"

rules/cross-platform/command_and_control_tunnel_qemu.toml

@@ -2,7 +2,7 @@
 creation_date = "2026/02/09"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
 maturity = "production"
-updated_date = "2026/02/09"
+updated_date = "2026/03/24"
 
 [rule]
 author = ["Elastic"]
@@ -95,14 +95,23 @@ process where event.type == "start" and
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1090"
+name = "Proxy"
+reference = "https://attack.mitre.org/techniques/T1090/"
+
 [[rule.threat.technique]]
 id = "T1219"
 name = "Remote Access Tools"
 reference = "https://attack.mitre.org/techniques/T1219/"
 
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
 
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-

rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/03/10"
+updated_date = "2026/03/24"
 
 [rule]
 author = ["Elastic"]
@@ -139,26 +139,54 @@ file where event.action in ("open", "creation", "modification") and event.outcom
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1552"
+name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1552.001"
+name = "Credentials In Files"
+reference = "https://attack.mitre.org/techniques/T1552/001/"
+
 [[rule.threat.technique]]
 id = "T1555"
 name = "Credentials from Password Stores"
 reference = "https://attack.mitre.org/techniques/T1555/"
 
-
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1005"
 name = "Data from Local System"
 reference = "https://attack.mitre.org/techniques/T1005/"
 
-
 [rule.threat.tactic]
 id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
 
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1037"
+name = "Boot or Logon Initialization Scripts"
+reference = "https://attack.mitre.org/techniques/T1037/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1037.004"
+name = "RC Scripts"
+reference = "https://attack.mitre.org/techniques/T1037/004/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

rules/cross-platform/credential_access_gitleaks_execution.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/11/28"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/11/28"
+updated_date = "2026/03/24"
 
 [rule]
 author = ["Elastic"]
@@ -103,6 +103,16 @@ id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
 
+[[rule.threat.technique]]
+id = "T1552"
+name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1552.001"
+name = "Credentials In Files"
+reference = "https://attack.mitre.org/techniques/T1552/001/"
+
 [[rule.threat.technique]]
 id = "T1555"
 name = "Credentials from Password Stores"
@@ -112,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1555/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1213"
+name = "Data from Information Repositories"
+reference = "https://attack.mitre.org/techniques/T1213/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1213.003"
+name = "Code Repositories"
+reference = "https://attack.mitre.org/techniques/T1213/003/"
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"

rules/cross-platform/credential_access_trufflehog_execution.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/09/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/11/26"
+updated_date = "2026/03/24"
 
 [rule]
 author = ["Elastic"]
@@ -105,6 +105,16 @@ id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
 
+[[rule.threat.technique]]
+id = "T1552"
+name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1552.001"
+name = "Credentials In Files"
+reference = "https://attack.mitre.org/techniques/T1552/001/"
+
 [[rule.threat.technique]]
 id = "T1555"
 name = "Credentials from Password Stores"
@@ -114,3 +124,16 @@ reference = "https://attack.mitre.org/techniques/T1555/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1005"
+name = "Data from Local System"
+reference = "https://attack.mitre.org/techniques/T1005/"
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"