[Rule Tuning] 3rd Party EDR Compatibility - 16 (#4041)
* [Rule Tuning] 3rd Party EDR Compatibility - 16 * Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml * min_stack for merge, bump updated_date --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
This commit is contained in:
Jonhnathan
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2021/08/24"
|
||||
integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
min_stack_version = "8.13.0"
|
||||
updated_date = "2024/08/07"
|
||||
updated_date = "2024/10/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -16,7 +16,7 @@ false_positives = [
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Web Shell Detection: Script Process Child of Common Web Processes"
|
||||
@@ -70,16 +70,8 @@ references = [
|
||||
]
|
||||
risk_score = 73
|
||||
rule_id = "2917d495-59bd-4250-b395-c29409b76086"
|
||||
setup = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
||||
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
||||
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
||||
`event.ingested` to @timestamp.
|
||||
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
||||
"""
|
||||
severity = "high"
|
||||
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: System"]
|
||||
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/08/29"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +13,7 @@ Identifies the registration of a Werfault Debugger. Attackers may abuse this mec
|
||||
every time the utility is executed with the "-pr" parameter.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.registry-*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Werfault ReflectDebugger Persistence"
|
||||
@@ -26,6 +28,9 @@ tags = [
|
||||
"Tactic: Persistence",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Sysmon",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
@@ -34,7 +39,8 @@ query = '''
|
||||
registry where host.os.type == "windows" and event.type == "change" and
|
||||
registry.path : (
|
||||
"HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger",
|
||||
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger"
|
||||
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger",
|
||||
"MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2021/01/20"
|
||||
integration = ["endpoint", "windows"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/09/23"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -13,7 +15,7 @@ administrator-level access to the system. This rule identifies registry value ch
|
||||
(UAC) protection.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Disabling User Account Control via Registry Modification"
|
||||
@@ -72,14 +74,6 @@ references = [
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "d31f183a-e5b1-451b-8534-ba62bca0b404"
|
||||
setup = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
||||
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
||||
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
||||
`event.ingested` to @timestamp.
|
||||
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
@@ -90,6 +84,8 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
@@ -103,7 +99,10 @@ registry where host.os.type == "windows" and event.type == "change" and
|
||||
"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop",
|
||||
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA",
|
||||
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin",
|
||||
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop"
|
||||
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop",
|
||||
"MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA",
|
||||
"MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin",
|
||||
"MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop"
|
||||
) and
|
||||
registry.data.strings : ("0", "0x00000000")
|
||||
'''
|
||||
|
||||
@@ -1,14 +1,16 @@
|
||||
[metadata]
|
||||
creation_date = "2024/04/23"
|
||||
integration = ["endpoint", "windows"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/08/22"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n"
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"]
|
||||
index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential privilege escalation via CVE-2022-38028"
|
||||
@@ -27,6 +29,8 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2020/08/13"
|
||||
integration = ["endpoint", "windows"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/31"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,20 +14,12 @@ legitimate system administration, but can also be abused by an attacker with dom
|
||||
malicious payload remotely on all or a subset of the domain joined machines.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Creation or Modification of a new GPO Scheduled Task or Service"
|
||||
risk_score = 21
|
||||
rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145"
|
||||
setup = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
||||
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
||||
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
||||
`event.ingested` to @timestamp.
|
||||
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
||||
"""
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
@@ -36,14 +30,18 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
file where host.os.type == "windows" and event.type != "deletion" and
|
||||
file.path : ("?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml",
|
||||
"?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Services\\Services.xml") and
|
||||
file where host.os.type == "windows" and event.type != "deletion" and file.name : "ScheduledTasks.xml" and
|
||||
file.path : (
|
||||
"?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml",
|
||||
"?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Services\\Services.xml"
|
||||
) and
|
||||
not process.name : "dfsrs.exe"
|
||||
'''
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2021/01/21"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "m365_defender"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/10/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ privilege escalation or persistence by placing a reference to a binary in the Wi
|
||||
executed by SYSTEM when the authentication packages are loaded.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.registry-*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential LSA Authentication Package Abuse"
|
||||
@@ -26,6 +26,7 @@ tags = [
|
||||
"Tactic: Privilege Escalation",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/23"
|
||||
integration = ["endpoint", "windows", "system"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/08/07"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -40,9 +42,12 @@ from = "now-9m"
|
||||
index = [
|
||||
"winlogbeat-*",
|
||||
"logs-endpoint.events.process-*",
|
||||
"logs-windows.*",
|
||||
"logs-windows.forwarded*",
|
||||
"logs-windows.sysmon_operational-*",
|
||||
"endgame-*",
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -104,14 +109,6 @@ references = [
|
||||
]
|
||||
risk_score = 73
|
||||
rule_id = "3ecbdc9e-e4f2-43fa-8cca-63802125e582"
|
||||
setup = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
||||
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
||||
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
||||
`event.ingested` to @timestamp.
|
||||
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
||||
"""
|
||||
severity = "high"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
@@ -122,6 +119,9 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: System",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2021/01/21"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "m365_defender"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/08/05"
|
||||
updated_date = "2024/10/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ processors to run malicious DLLs during system boot that will be executed as SYS
|
||||
persistence, if permissions allow writing a fully-qualified pathname for that DLL.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.registry-*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Port Monitor or Print Processor Registration Abuse"
|
||||
@@ -27,6 +27,7 @@ tags = [
|
||||
"Tactic: Privilege Escalation",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2021/07/06"
|
||||
integration = ["endpoint", "windows"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -17,21 +19,13 @@ false_positives = [
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious Print Spooler File Deletion"
|
||||
references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"]
|
||||
risk_score = 47
|
||||
rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799"
|
||||
setup = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
||||
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
||||
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
||||
`event.ingested` to @timestamp.
|
||||
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
@@ -42,14 +36,16 @@ tags = [
|
||||
"Use Case: Vulnerability",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
file where host.os.type == "windows" and event.type : "deletion" and
|
||||
not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe") and
|
||||
file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll"
|
||||
file where host.os.type == "windows" and event.type == "deletion" and
|
||||
file.extension : "dll" and file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll" and
|
||||
not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe")
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/08/14"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "m365_defender"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/08/06"
|
||||
updated_date = "2024/10/10"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -37,7 +37,7 @@ Detects attempts to exploit privilege escalation vulnerabilities related to the
|
||||
CVE-2020-1048 and CVE-2020-1337.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.file-*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.file-*", "endgame-*", "logs-m365_defender.event-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious Print Spooler SPL File Created"
|
||||
@@ -107,6 +107,7 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Use Case: Vulnerability",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
Reference in New Issue
Block a user