From 0a69c19c836e9fd08ee8d310ac3f9e4e3912f177 Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Tue, 11 Jun 2024 18:58:26 +0530 Subject: [PATCH] Update Minstack versions for SentinelOne rules (#3777) --- .../collection_email_powershell_exchange_mailbox.toml | 6 +++--- ...command_and_control_port_forwarding_added_registry.toml | 6 +++--- rules/windows/command_and_control_rdp_tunnel_plink.toml | 6 +++--- .../command_and_control_screenconnect_childproc.toml | 7 +++---- ...credential_access_domain_backup_dpapi_private_keys.toml | 6 +++--- rules/windows/credential_access_kirbi_file.toml | 6 +++--- .../credential_access_mimikatz_memssp_default_logs.toml | 6 +++--- rules/windows/defense_evasion_amsi_bypass_dllhijack.toml | 6 +++--- .../defense_evasion_hide_encoded_executable_registry.toml | 6 +++--- ...evasion_masquerading_suspicious_werfault_childproc.toml | 6 +++--- ...ense_evasion_persistence_account_tokenfilterpolicy.toml | 6 +++--- .../defense_evasion_suspicious_zoom_child_process.toml | 6 +++--- ...execution_command_shell_started_by_unusual_process.toml | 6 +++--- ...initial_access_suspicious_ms_outlook_child_process.toml | 6 +++--- rules/windows/persistence_adobe_hijack_persistence.toml | 6 +++--- rules/windows/persistence_appcertdlls_registry.toml | 6 +++--- .../windows/persistence_local_scheduled_job_creation.toml | 6 +++--- rules/windows/persistence_system_shells_via_services.toml | 6 +++--- rules/windows/persistence_via_bits_job_notify_command.toml | 6 +++--- rules/windows/persistence_webshell_detection.toml | 6 +++--- 20 files changed, 60 insertions(+), 61 deletions(-) diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index b31607b49..1ea0ba036 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 0db2f71ea..f9ff7be40 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 1499e8c0d..bec3e54b6 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 6fb210442..0251401ed 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,10 +2,9 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" - +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 6b619d797..2517a7c0d 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index 60bbd7857..ad29d6bc4 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -2,9 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index be347be50..fe2c24545 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 8d05f7533..f119f947b 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/17" integration = ["windows", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 59977ac9d..e317785ad 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index bcfb84a7b..570c60a8c 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 7212b3125..c00d4a008 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,9 +2,9 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index f49c65712..018f735ad 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 07b82ed12..5bead44db 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index f3e9a2167..f6a397104 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index cb3637fac..3b79b1471 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 0313a9910..d34fdd031 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 2a6f2e67c..d03c429f7 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -2,9 +2,9 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index cfc9e2311..4f5518056 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index b0b62e819..4d6a4b760 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -2,9 +2,9 @@ creation_date = "2021/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 2c40fa273..a5040b71b 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,9 +2,9 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "SentinelOne integration package minimum version for validation." -min_stack_version = "8.11.0" -updated_date = "2024/05/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/06/11" [rule] author = ["Elastic"]