security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] 3rd Party EDR Compatibility - 11 (#4036)

Browse Source 
* [Rule Tuning] 3rd Party EDR Compatibility - 11

* min_stack for merge, bump updated_date
This commit is contained in:
Jonhnathan
2024-10-11 16:14:40 -03:00
committed by GitHub
parent 7b655759ab
commit 32d02ae7aa
10 changed files with 97 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/initial_access_script_executing_powershell.toml
+7 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/02/18"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies a PowerShell process launched by either cscript.exe or wscript.exe. O
executing a PowerShell script, may be indicative of malicious activity.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Windows Script Executing PowerShell"
@@ -68,14 +70,6 @@ This rule looks for the spawn of the `powershell.exe` process with `cscript.exe`
references = ["https://www.elastic.co/security-labs/operation-bleeding-bear"]
risk_score = 21
rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "low"
tags = [
"Domain: Endpoint",
@@ -87,6 +81,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"