security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 (#5022)

Browse Source
This commit is contained in:
Jonhnathan
2025-08-28 11:51:45 -07:00
committed by GitHub
parent 1af98a6170
commit 48dfb759cd
5 changed files with 21 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_script_via_html_app.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/09/09"
integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
maturity = "production"
updated_date = "2025/07/21"
updated_date = "2025/08/26"
[rule]
author = ["Elastic"]
@@ -18,6 +18,7 @@ index = [
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
"endgame-*",
]
language = "eql"
license = "Elastic License v2"
@@ -68,6 +69,7 @@ tags = [
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/defense_evasion_sdelete_like_filename_rename.toml
+4 -2
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/08/18"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/08/26"
[rule]
author = ["Elastic"]
@@ -18,6 +18,7 @@ index = [
"endgame-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
@@ -69,6 +70,7 @@ tags = [
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/defense_evasion_sip_provider_mod.toml
+4 -2
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2021/01/20"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/08/26"
[rule]
author = ["Elastic"]
@@ -19,6 +19,7 @@ index = [
"winlogbeat-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
@@ -71,6 +72,7 @@ tags = [
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
+5 -7
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/12/14"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/08/26"
[rule]
author = ["Elastic"]
@@ -18,6 +18,7 @@ index = [
"endgame-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
@@ -74,6 +75,7 @@ tags = [
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
@@ -90,11 +92,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry
"SolarWinds.Collector.Service*.exe",
"SolarwindsDiagnostics*.exe"
) and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start",
"MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start"
) and
registry.path : "*\\SYSTEM\\*ControlSet*\\Services\\*\\Start" and
registry.data.strings : ("4", "0x00000004")
'''
rules/windows/defense_evasion_suspicious_short_program_name.toml
+5 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/11/15"
integration = ["endpoint", "windows", "m365_defender"]
integration = ["endpoint", "windows", "m365_defender", "crowdstrike"]
maturity = "production"
updated_date = "2025/05/05"
updated_date = "2025/08/26"
[transform]
[[transform.osquery]]
@@ -44,6 +44,7 @@ index = [
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-m365_defender.event-*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
@@ -105,10 +106,11 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Crowdstrike",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"