[Rule Tuning] Include winlogbeat index in sysmon-related rules (#3966)

2024-08-08 12:02:23 -03:00
parent d7c7d9b1c3
commit 25ad765acb
30 changed files with 60 additions and 60 deletions
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/06/25"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as P
 attacker to impersonate users using Kerberos tickets.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
+index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Kirbi File Creation"
@@ -2,7 +2,7 @@
 creation_date = "2021/03/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/08/07"

 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ during user logon.
 """
 false_positives = ["Authorized third party network logon providers."]
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network Logon Provider Registry Modification"
@@ -2,7 +2,7 @@
 creation_date = "2020/12/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies modifications to the Windows Defender registry settings to disable th
 started manually.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Defender Disabled via Registry Modification"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/06/11"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies registry write modifications to hide an encoded portable executable.
 defense evasion by avoiding the storing of malicious content directly on disk.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Encoded Executable Stored in the Registry"
@@ -2,7 +2,7 @@
 creation_date = "2024/05/31"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ modify or disable the GQBL, allowing exploitation of hosts running WPAD with def
 and lateral movement.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "DNS Global Query Block List Modified or Disabled"
@@ -2,7 +2,7 @@
 creation_date = "2021/01/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Windows cryptographic system to validate file signatures on the system. This may
 validation checks or inject code into critical processes.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "SIP Provider Modification"
@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies scrobj.dll loaded into unusual Microsoft processes. This usually mean
 executed in the target process.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Script Object Execution"
@@ -2,7 +2,7 @@
 creation_date = "2021/03/22"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies NullSessionPipe registry modifications that specify which pipes can b
 indicative of adversary lateral movement preparation by making the added pipe available to everyone.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "NullSessionPipe Registry Modification"
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for Sentinel One Cloud Funnel Integration"
 min_stack_version = "8.13.0"
-updated_date = "2024/08/06"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ WSUS is limited to executing Microsoft signed binaries, which limits the executa
 by Microsoft.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*"]
+index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential WSUS Abuse for Lateral Movement"
@@ -2,7 +2,7 @@
 creation_date = "2020/11/17"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ The Debugger and SilentProcessExit registry keys can allow an adversary to inter
 different process to be executed. This functionality can be abused by an adversary to establish persistence.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Image File Execution Options Injection"
@@ -2,7 +2,7 @@
 creation_date = "2021/03/15"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/08/07"

 [transform]
 [[transform.osquery]]
@@ -37,7 +37,7 @@ Identifies suspicious startup shell folder modifications to change the default S
 detections monitoring file creation in the Windows Startup folder.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Startup Shell Folder Modification"
@@ -2,7 +2,7 @@
 creation_date = "2020/11/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Detects changes to registry persistence keys that are not commonly used or modif
 be an indication of an adversary's attempt to persist in a stealthy manner.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Uncommon Registry Persistence Change"
@@ -2,7 +2,7 @@
 creation_date = "2020/11/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ could be an indication of an adversary attempting to stealthily persist through
 modification of an existing service.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Persistence via Services Registry"
@@ -2,7 +2,7 @@
 creation_date = "2020/11/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies the creation of a suspicious ImagePath value. This could be an indica
 stealthily persist or escalate privileges through abnormal service creation.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious ImagePath Service Creation"
@@ -2,7 +2,7 @@
 creation_date = "2021/01/19"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/08/07"

 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ network devices or clients in the network. Time providers are implemented in the
 System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Persistence via Time Provider Modification"
@@ -2,7 +2,7 @@
 creation_date = "2024/05/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/29"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies unusual DLLs loaded by the DNS Server process, potentially indicating
 functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unsigned DLL loaded by DNS Service"
@@ -2,13 +2,13 @@
 creation_date = "2024/04/23"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
 description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n"
 from = "now-9m"
-index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential privilege escalation via CVE-2022-38028"
@@ -2,7 +2,7 @@
 creation_date = "2020/11/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Exploitation involves chaining multiple primitives to load an arbitrary DLL into
 SYSTEM.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Print Spooler Point and Print DLL"
@@ -2,7 +2,7 @@
 creation_date = "2024/06/05"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/06/05"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ privileges from groups like Server Operators may change the ImagePath of service
 to execute commands.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Privilege Escalation via Service ImagePath Modification"
@@ -2,7 +2,7 @@
 creation_date = "2020/11/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies a privilege escalation attempt via a rogue Windows directory (Windir)
 primitive that is often combined with other vulnerabilities to elevate privileges.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Privilege Escalation via Windir Environment Variable"
@@ -2,7 +2,7 @@
 creation_date = "2023/08/24"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/27"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies files written to the root of the Recycle Bin folder instead of subdir
 the root of the Recycle Bin in preparation for exfiltration or to evade defenses.
 """
 from = "now-119m"
-index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -2,7 +2,7 @@
 creation_date = "2023/08/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/27"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies commands containing references to Outlook data files extensions, whic
 access, or modification of these files.
 """
 from = "now-119m"
-index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"]
+index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -2,7 +2,7 @@
 creation_date = "2023/08/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/27"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, async
 Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code.
 """
 from = "now-119m"
-index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"]
+index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -2,14 +2,14 @@
 creation_date = "2023/08/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/27"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
 building_block_type = "default"
 description = "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\n"
 from = "now-119m"
-index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"]
+index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -2,14 +2,14 @@
 creation_date = "2023/08/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/27"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
 building_block_type = "default"
 description = "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.\n"
 from = "now-119m"
-index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"]
+index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -2,7 +2,7 @@
 creation_date = "2023/08/24"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/27"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ service profiles, which accept installation information file (INF) files. Advers
 execution of malicious code by supplying INF files that contain malicious commands.
 """
 from = "now-119m"
-index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"]
+index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -2,7 +2,7 @@
 creation_date = "2023/08/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/27"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies attempts to modify a service path by an unusual process. Attackers ma
 for persistence or privilege escalation.
 """
 from = "now-119m"
-index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -2,7 +2,7 @@
 creation_date = "2023/08/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/27"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies attempts to modify a service path setting using sc.exe. Attackers may
 persistence or privilege escalation.
 """
 from = "now-119m"
-index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"]
+index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2023/08/24"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/27"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the suspicious creation of SettingContents-ms files, which have been
 execution while evading defenses.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Creation of SettingContent-ms Files"
@@ -2,7 +2,7 @@
 creation_date = "2023/08/24"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/27"
+updated_date = "2024/08/07"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies the use of wmic.exe to run commands on remote hosts. While this can b
 attackers can abuse this built-in utility to achieve lateral movement.
 """
 from = "now-119m"
-index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"]
+index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"