[Rule Tuning] 3rd Party EDR Compatibility - 3 (#4020)

* [Rule Tuning] 3rd Party EDR Compatibility - 3 * bump updated_date to 8.16 release date * min_stack for merge, bump updated_date
2024-10-11 13:19:56 -03:00
parent 4538bfcd9f
commit 2afb4038db
10 changed files with 116 additions and 66 deletions
@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2021/12/25"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -15,9 +17,12 @@ from = "now-9m"
 index = [
    "winlogbeat-*",
    "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
    "endgame-*",
    "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -87,12 +92,6 @@ Audit Handle Manipulation (Success,Failure)

 This event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.
 Direct access to a shell and calling symbolic link creation tools will not generate an event matching this rule.
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 """
 severity = "medium"
 tags = [
@@ -104,6 +103,9 @@ tags = [
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
    "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2024/03/14"
-integration = ["windows", "endpoint", "system"]
+integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."

 [rule]
 author = ["Elastic"]
@@ -14,9 +16,12 @@ from = "now-9m"
 index = [
    "winlogbeat-*",
    "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
    "endgame-*",
    "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -34,6 +39,9 @@ tags = [
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
    "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -41,7 +49,7 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
  (
-    (process.name : "sqlcmd.exe" or process.pe.original_file_name : "sqlcmd.exe") or
+    (process.name : "sqlcmd.exe" or ?process.pe.original_file_name : "sqlcmd.exe") or
    process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery")
  ) and
  process.args : "*[VeeamBackup].[dbo].[Credentials]*"
@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2024/06/05"
-integration = ["windows", "endpoint", "system"]
+integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."

 [rule]
 author = ["Elastic"]
@@ -14,9 +16,12 @@ from = "now-9m"
 index = [
    "winlogbeat-*",
    "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
    "endgame-*",
    "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -35,6 +40,9 @@ tags = [
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
    "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2022/11/01"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."

 [transform]
 [[transform.osquery]]
@@ -37,9 +39,12 @@ from = "now-9m"
 index = [
    "winlogbeat-*",
    "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
    "endgame-*",
    "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -102,6 +107,9 @@ tags = [
    "Resources: Investigation Guide",
    "Data Source: Elastic Defend",
    "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."

 [transform]
 [[transform.osquery]]
@@ -37,9 +39,12 @@ from = "now-9m"
 index = [
    "winlogbeat-*",
    "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
    "endgame-*",
    "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -110,6 +115,9 @@ tags = [
    "Resources: Investigation Guide",
    "Data Source: Elastic Defend",
    "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
 timeline_title = "Comprehensive Process Timeline"
@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2021/06/01"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."

 [rule]
 author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies modifications of the AmsiEnable registry key to 0, which disables the
 adversary can modify this key to disable AMSI protections.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Modification of AmsiEnable Registry Key"
@@ -71,14 +73,6 @@ references = [
 ]
 risk_score = 73
 rule_id = "f874315d-5188-4b4a-8521-d1c73093a7e4"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "high"
 tags = [
    "Domain: Endpoint",
@@ -89,18 +83,20 @@ tags = [
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
    "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-registry where host.os.type == "windows" and event.type == "change" and registry.value : "AmsiEnable" and
-  registry.path : (
-    "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable",
-    "HKU\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable",
-    "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"
-  ) and
-  registry.data.strings: ("0", "0x00000000")
+registry where host.os.type == "windows" and event.type == "change" and
+  registry.value : "AmsiEnable" and registry.data.strings: ("0", "0x00000000")
+
+  /*
+    Full registry key path omitted due to data source variations:
+    HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"
+  */
 '''


@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2021/11/22"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."

 [rule]
 author = ["Austin Songer"]
@@ -14,9 +16,12 @@ from = "now-9m"
 index = [
    "winlogbeat-*",
    "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
    "endgame-*",
    "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -78,6 +83,9 @@ tags = [
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
    "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."

 [rule]
 author = ["Elastic"]
@@ -14,9 +16,12 @@ from = "now-9m"
 index = [
    "winlogbeat-*",
    "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
    "endgame-*",
    "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -56,14 +61,6 @@ This rule looks for the execution of the `wevtutil.exe` utility or the `Clear-Ev
 references = ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"]
 risk_score = 21
 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "low"
 tags = [
    "Domain: Endpoint",
@@ -74,6 +71,9 @@ tags = [
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
    "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2023/01/31"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."

 [transform]
 [[transform.osquery]]
@@ -33,9 +35,12 @@ from = "now-9m"
 index = [
    "winlogbeat-*",
    "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
    "endgame-*",
    "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -100,6 +105,9 @@ tags = [
    "Resources: Investigation Guide",
    "Data Source: Elastic Defend",
    "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2023/01/31"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."

 [transform]
 [[transform.osquery]]
@@ -30,7 +32,7 @@ program, and grants the user with the ability to check whether the program has b
 execution of unsigned or self-signed code, threat actors can craft and execute malicious code.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Code Signing Policy Modification Through Registry"
@@ -94,18 +96,20 @@ tags = [
    "Resources: Investigation Guide",
    "Data Source: Elastic Defend",
    "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

 query = '''
 registry where host.os.type == "windows" and event.type == "change" and
-  registry.value: "BehaviorOnFailedVerify" and
-  registry.path : (
-    "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify",
-    "HKU\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify",
-    "\\REGISTRY\\USER\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify"
-  ) and registry.data.strings : ("0", "0x00000000", "1", "0x00000001")
+  registry.value: "BehaviorOnFailedVerify" and registry.data.strings : ("0", "0x00000000", "1", "0x00000001")
+
+  /*
+    Full registry key path omitted due to data source variations:
+    "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify"
+  */
 '''