[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id (#1773)

* Remove Windows Integration & Winlogbeat Support

* Update lateral_movement_service_control_spawned_script_int.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

rules/windows/command_and_control_common_webservices.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/04"
 maturity = "production"
-updated_date = "2022/01/17"
+updated_date = "2022/02/14"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ network which allows the adversary to blend into legitimate traffic. activity. T
 targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Connection to Commonly Abused Web Services"

rules/windows/credential_access_persistence_network_logon_provider_modification.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/03/18"
 maturity = "production"
-updated_date = "2021/03/18"
+updated_date = "2022/02/14"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ the authentication credentials in clear text during user logon.
 """
 false_positives = ["Authorized third party network logon providers."]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network Logon Provider Registry Modification"

rules/windows/discovery_post_exploitation_external_ip_lookup.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/04"
 maturity = "production"
-updated_date = "2021/08/14"
+updated_date = "2022/02/14"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "External IP Lookup from Non-Browser Process"

rules/windows/lateral_movement_service_control_spawned_script_int.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/15"
+updated_date = "2022/02/14"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ Identifies Service Control (sc.exe) spawning from script interpreter processes t
 This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "logs-system.*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Service Control Spawned via Script Interpreter"
@@ -22,6 +22,8 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
+/* This rule is not compatible with Sysmon due to user.id issues */
+
 process where event.type == "start" and
   (process.name : "sc.exe" or process.pe.original_file_name == "sc.exe") and
   process.parent.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe",

rules/windows/privilege_escalation_lsa_auth_package.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/02/14"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ privilege escalation or persistence by placing a reference to a binary in the Wi
 executed by SYSTEM when the authentication packages are loaded.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential LSA Authentication Package Abuse"