[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028)
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
This commit is contained in:
Jonhnathan
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/10/16"
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/03/20"
|
||||
updated_date = "2025/08/26"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -15,6 +15,7 @@ index = [
|
||||
"endgame-*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -68,6 +69,7 @@ tags = [
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Crowdstrike",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
@@ -76,12 +78,16 @@ type = "eql"
|
||||
query = '''
|
||||
file where host.os.type == "windows" and event.type != "deletion" and
|
||||
file.extension : ("wll","xll","ppa","ppam","xla","xlam") and
|
||||
file.path :
|
||||
(
|
||||
file.path : (
|
||||
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
|
||||
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
|
||||
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
|
||||
)
|
||||
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*",
|
||||
|
||||
/* Crowdstrike specific condition as it uses NT Object paths */
|
||||
"\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
|
||||
"\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
|
||||
"\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/23"
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/03/20"
|
||||
updated_date = "2025/08/26"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -16,6 +16,7 @@ index = [
|
||||
"endgame-*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -73,6 +74,7 @@ tags = [
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Crowdstrike",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
@@ -80,7 +82,8 @@ type = "eql"
|
||||
|
||||
query = '''
|
||||
file where host.os.type == "windows" and event.type != "deletion" and
|
||||
file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM"
|
||||
file.name : "VbaProject.OTM" and
|
||||
file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM", "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM")
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2023/08/22"
|
||||
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/03/20"
|
||||
updated_date = "2025/08/26"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -17,6 +17,8 @@ index = [
|
||||
"logs-m365_defender.event-*",
|
||||
"endgame-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
"logs-windows.sysmon_operational-*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -71,6 +73,8 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Crowdstrike",
|
||||
"Data Source: Sysmon",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2023/08/29"
|
||||
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
|
||||
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/03/20"
|
||||
updated_date = "2025/08/26"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -18,6 +18,7 @@ index = [
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-windows.sysmon_operational-*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -68,6 +69,7 @@ tags = [
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Crowdstrike",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2022/10/13"
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/03/20"
|
||||
updated_date = "2025/08/26"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -45,6 +45,7 @@ index = [
|
||||
"endgame-*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -120,6 +121,7 @@ tags = [
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Crowdstrike",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
@@ -127,10 +129,13 @@ type = "eql"
|
||||
|
||||
query = '''
|
||||
file where host.os.type == "windows" and event.type != "deletion" and
|
||||
file.path : ("?:\\Users\\*\\Documents\\WindowsPowerShell\\*",
|
||||
"?:\\Users\\*\\Documents\\PowerShell\\*",
|
||||
"?:\\Windows\\System32\\WindowsPowerShell\\*") and
|
||||
file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1")
|
||||
file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1") and
|
||||
file.path : ("?:\\Users\\*\\Documents\\WindowsPowerShell\\*.ps1",
|
||||
"?:\\Users\\*\\Documents\\PowerShell\\*.ps1",
|
||||
"?:\\Windows\\System32\\WindowsPowerShell\\*.ps1",
|
||||
"\\Device\\HarddiskVolume*\\Users\\*\\Documents\\WindowsPowerShell\\*.ps1",
|
||||
"\\Device\\HarddiskVolume*\\Users\\*\\Documents\\PowerShell\\*.ps1",
|
||||
"\\Device\\HarddiskVolume*\\Windows\\System32\\WindowsPowerShell\\*.ps1")
|
||||
'''
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user