diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 75210439c..20b795281 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/15" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" [transform] [[transform.osquery]] @@ -38,7 +38,7 @@ is often done by adversaries while staging, executing temporary utilities, or tr on the process name. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Renamed Utility Executed with Short Program Name" @@ -102,6 +102,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index a3a278e09..088474a8b 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/08/19" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [transform] [[transform.osquery]] @@ -37,7 +39,7 @@ Identifies an unexpected executable file being created or modified by a Windows indicate activity related to remote code execution or other forms of exploitation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Unusual Executable File Creation by a System Critical Process" @@ -93,14 +95,6 @@ This rule looks for the creation of executable files done by system-critical pro """ risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -112,6 +106,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 7390d5c86..9892c746a 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2021/01/21" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/06/28" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [transform] [[transform.osquery]] @@ -37,7 +39,7 @@ Identifies suspicious creation of Alternate Data Streams on highly targeted file and sometimes done by adversaries to hide malware. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Unusual File Creation - Alternate Data Stream" @@ -99,14 +101,6 @@ Attackers can abuse these alternate data streams to hide malicious files, string """ risk_score = 47 rule_id = "71bccb61-e19b-452f-b104-79a60e546a95" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -116,6 +110,9 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" @@ -159,34 +156,8 @@ file where host.os.type == "windows" and event.type == "creation" and file.extension : ( - "pdf", - "dll", - "exe", - "dat", - "com", - "bat", - "cmd", - "sys", - "vbs", - "ps1", - "hta", - "txt", - "vbe", - "js", - "wsh", - "docx", - "doc", - "xlsx", - "xls", - "pptx", - "ppt", - "rtf", - "gif", - "jpg", - "png", - "bmp", - "img", - "iso" + "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "ps1", "hta", "txt", "vbe", "js", + "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso" ) ''' diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 5e0ec96e2..db6289fc8 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/12/04" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -11,20 +13,12 @@ Identifies processes running from an Alternate Data Stream. This is uncommon for by adversaries to hide malware. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Execution Path - Alternate Data Stream" risk_score = 47 rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -34,6 +28,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 11e108f87..ce216c841 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/08/19" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -11,23 +13,18 @@ from = "now-9m" index = [ "winlogbeat-*", "logs-endpoint.events.process-*", - "logs-windows.*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" risk_score = 73 rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -37,6 +34,9 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index c1c54e30a..9d1a9a8ff 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2022/03/02" -integration = ["windows", "system"] +integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic", "Austin Songer"] @@ -11,7 +13,15 @@ Identifies the use of Windows Work Folders to execute a potentially masqueraded directory. Misuse of Windows Work Folders could indicate malicious activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] +index = [ + "winlogbeat-*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*" +] language = "eql" license = "Elastic License v2" name = "Signed Proxy Execution via MS Work Folders" @@ -53,14 +63,6 @@ references = [ ] risk_score = 47 rule_id = "ad0d2742-9a49-11ec-8d6b-acde48001122" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -70,6 +72,9 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 47e6ae218..52bf87fa1 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/01/13" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -14,9 +16,10 @@ from = "now-9m" index = [ "winlogbeat-*", "logs-endpoint.events.process-*", - "logs-windows.*", + "logs-windows.sysmon_operational-*", "endgame-*", - "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -37,7 +40,9 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" @@ -51,7 +56,7 @@ process where host.os.type == "windows" and event.type : "start" and ) or process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or ( - process.parent.name : "wsl.exe" and ?process.parent.command_line : "bash*" and not process.name : "wslhost.exe" + process.parent.name : "wsl.exe" and process.parent.command_line : "bash*" and not process.name : "wslhost.exe" ) or ( process.name : "wsl.exe" and process.args : ( diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index a4fa52376..03d26b98d 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/01/12" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -17,6 +19,8 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -33,6 +37,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index eee4103dd..b79b64891 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/01/13" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -14,9 +16,12 @@ from = "now-9m" index = [ "winlogbeat-*", "logs-endpoint.events.process-*", - "logs-windows.*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -69,6 +74,9 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 39a5d7c62..5f5a23a7e 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/01/12" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -14,9 +16,12 @@ from = "now-9m" index = [ "winlogbeat-*", "logs-endpoint.events.process-*", - "logs-windows.*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -33,6 +38,9 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql"