security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] 3rd Party EDR Compatibility - 13 (#4038)

Browse Source 
* [Rule Tuning] 3rd Party EDR Compatibility - 13

* min_stack for merge, bump updated_date
This commit is contained in:
Jonhnathan
2024-10-11 16:55:02 -03:00
committed by GitHub
parent 0cbbae4f83
commit 07c4535871
10 changed files with 98 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/11/04"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -14,9 +16,12 @@ from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -24,14 +29,6 @@ name = "Remote File Copy to a Hidden Share"
references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"]
risk_score = 47
rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -41,6 +38,9 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/lateral_movement_unusual_dns_service_children.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/07/16"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -21,9 +23,12 @@ from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -72,14 +77,6 @@ references = [
]
risk_score = 73
rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -91,6 +88,9 @@ tags = [
"Use Case: Vulnerability",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
+7 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/10/19"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies suspicious file creations in the startup folder of a remote system. A
laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.
"""
from = "now-9m"
index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Lateral Movement via Startup Folder"
@@ -21,14 +23,6 @@ references = [
]
risk_score = 73
rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -38,6 +32,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/persistence_app_compat_shim.toml
+13 -4
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/09/02"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/05"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies the installation of custom Application Compatibility Shim databases.
abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
"""
from = "now-9m"
index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Installation of Custom Shim Databases"
@@ -25,13 +27,20 @@ tags = [
"Tactic: Persistence",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Elastic Endgame",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where host.os.type == "windows" and event.type == "change" and
registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb" and
registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb",
"MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"
) and
not process.executable :
("?:\\Program Files (x86)\\DesktopCentral_Agent\\swrepository\\1\\swuploads\\SAP-SLC\\SAPSetupSLC02_14-80001954\\Setup\\NwSapSetup.exe",
"?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe",
rules/windows/persistence_appinitdlls_registry.toml
+9 -13
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/11/18"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/05"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[transform]
[[transform.osquery]]
@@ -48,7 +50,7 @@ Attackers who add those DLLs to the registry locations can execute code with ele
injection, and provide a solid and constant persistence on the machine.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Registry Persistence via AppInit DLL"
@@ -107,16 +109,8 @@ This rule identifies modifications on the AppInit registry keys.
"""
risk_score = 47
rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"]
timestamp_override = "event.ingested"
type = "eql"
@@ -126,7 +120,9 @@ registry where host.os.type == "windows" and event.type == "change" and
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls"
"\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls"
) and
not process.executable : (
"?:\\Windows\\System32\\DriverStore\\FileRepository\\*\\Display.NvContainer\\NVDisplay.Container.exe",
rules/windows/persistence_browser_extension_install.toml
+8 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2023/08/22"
integration = ["endpoint"]
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies the install of browser extensions. Malicious browser extensions can b
masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
"""
from = "now-9m"
index = ["logs-endpoint.events.file-*"]
index = ["logs-endpoint.events.file-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"]
language = "eql"
license = "Elastic License v2"
name = "Browser Extension Install"
@@ -24,6 +26,9 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/persistence_evasion_hidden_local_account_creation.toml
+9 -12
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/12/18"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/05"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -12,7 +14,7 @@ sometimes done by attackers to increase access to a system and avoid appearing i
the net users command.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Creation of a Hidden Local User Account"
@@ -49,14 +51,6 @@ references = [
]
risk_score = 73
rule_id = "2edc8076-291e-41e9-81e4-e3fcbc97ae5e"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -67,6 +61,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -75,7 +71,8 @@ query = '''
registry where host.os.type == "windows" and event.type == "change" and
registry.path : (
"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\",
"\\REGISTRY\\MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\"
"\\REGISTRY\\MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\",
"MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\"
)
'''
rules/windows/persistence_evasion_registry_ifeo_injection.toml
+12 -4
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/11/17"
integration = ["endpoint"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ The Debugger and SilentProcessExit registry keys can allow an adversary to inter
different process to be executed. This functionality can be abused by an adversary to establish persistence.
"""
from = "now-9m"
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Image File Execution Options Injection"
@@ -30,6 +32,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -45,7 +49,11 @@ registry where host.os.type == "windows" and event.type == "change" and
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
"\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
"\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess"
"\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
"MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
"MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
"MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
"MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess"
) and
/* add FPs here */
not registry.data.strings regex~ ("""C:\\Program Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""", """.*\\PSAppDeployToolkit\\.*""")
rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
+14 -4
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2021/03/15"
integration = ["endpoint"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[transform]
[[transform.osquery]]
@@ -37,7 +39,7 @@ Identifies suspicious startup shell folder modifications to change the default S
detections monitoring file creation in the Windows Startup folder.
"""
from = "now-9m"
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Startup Shell Folder Modification"
@@ -110,6 +112,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -124,10 +128,16 @@ registry where host.os.type == "windows" and event.type == "change" and
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup",
"HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup",
"HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup",
"HKCU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup",
"HKCU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup",
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup",
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup",
"\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup",
"\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup"
"\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup",
"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup",
"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup",
"USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup",
"USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup"
) and
registry.data.strings != null and
/* Normal Startup Folder Paths */
rules/windows/persistence_local_scheduled_job_creation.toml
+4 -12
View File
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2021/03/15"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
maturity = "production"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2024/06/11"
updated_date = "2024/10/10"
[rule]
author = ["Elastic"]
@@ -14,22 +14,14 @@ task scheduling functionality to facilitate initial or recurring execution of ma
"""
false_positives = ["Legitimate scheduled jobs may be created during installation of new software."]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
language = "eql"
license = "Elastic License v2"
name = "Persistence via Scheduled Job Creation"
risk_score = 47
rule_id = "1327384f-00f3-44d5-9a8c-2373ba071e92"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"]
timestamp_override = "event.ingested"
type = "eql"