From 7b655759aba36d94bad6c5149fce6ae4d9d40241 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 11 Oct 2024 15:58:37 -0300 Subject: [PATCH] [Rule Tuning] 3rd Party EDR Compatibility - 10 (#4035) * [Rule Tuning] 3rd Party EDR Compatibility - 10 * min_stack for merge, bump updated_date --- .../execution_enumeration_via_wmiprvse.toml | 47 ++++++------------- .../execution_from_unusual_path_cmdline.toml | 22 ++++----- ...execution_initial_access_via_msc_file.toml | 10 ++-- rules/windows/execution_mofcomp.toml | 9 ++-- ...xecution_shared_modules_local_sxs_dll.toml | 18 +++---- .../windows/execution_suspicious_cmd_wmi.toml | 22 ++++----- .../execution_suspicious_pdf_reader.toml | 22 ++++----- .../execution_suspicious_psexesvc.toml | 15 ++---- .../execution_via_compiled_html_file.toml | 22 ++++----- .../execution_via_hidden_shell_conhost.toml | 18 +++---- 10 files changed, 89 insertions(+), 116 deletions(-) diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index e2def3dc6..587807581 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2021/01/19" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -14,23 +16,18 @@ from = "now-9m" index = [ "winlogbeat-*", "logs-endpoint.events.process-*", - "logs-windows.*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" risk_score = 21 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -40,6 +37,9 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" @@ -48,28 +48,9 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.command_line != null and process.name: ( - "arp.exe", - "dsquery.exe", - "dsget.exe", - "gpresult.exe", - "hostname.exe", - "ipconfig.exe", - "nbtstat.exe", - "net.exe", - "net1.exe", - "netsh.exe", - "netstat.exe", - "nltest.exe", - "ping.exe", - "qprocess.exe", - "quser.exe", - "qwinsta.exe", - "reg.exe", - "sc.exe", - "systeminfo.exe", - "tasklist.exe", - "tracert.exe", - "whoami.exe" + "arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe", + "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", "quser.exe", + "qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe" ) and process.parent.name:"wmiprvse.exe" and not ( diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index b9e98348e..18bc6ac61 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/10/30" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [transform] [[transform.osquery]] @@ -40,9 +42,12 @@ from = "now-9m" index = [ "winlogbeat-*", "logs-endpoint.events.process-*", - "logs-windows.*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -104,14 +109,6 @@ references = [ ] risk_score = 47 rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -123,6 +120,9 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 8fe4c6a5b..bac39e17a 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/05/12" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Identifies the execution of a child process from a Microsoft Common Console file command in an MSC file in order to trick victims into executing malicious commands. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Unusual Execution via Microsoft Common Console File" @@ -53,6 +55,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index ec3ebfe1b..88b65dbfb 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/08/23" -integration = ["endpoint"] +integration = ["endpoint", "m365_defender", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ files to build their own namespaces and classes into the Windows Management Inst establish persistence using WMI Event Subscription. """ from = "now-9m" -index = ["logs-endpoint.events.process-*"] +index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*"] language = "eql" license = "Elastic License v2" name = "Mofcomp Activity" @@ -25,6 +25,9 @@ tags = [ "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Elastic Endgame", + "Data Source: System", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index b5b97384f..0f8b6fef4 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/10/28" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ shared modules to execute malicious payloads by instructing the Windows module l paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Execution via local SxS Shared Module" @@ -23,14 +25,6 @@ The SxS DotLocal folder is a legitimate feature that can be abused to hijack sta references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"] risk_score = 47 rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -40,6 +34,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 57bde7b25..c3ba715e7 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/10/19" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -14,9 +16,12 @@ from = "now-9m" index = [ "logs-endpoint.events.process-*", "winlogbeat-*", - "logs-windows.*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -27,14 +32,6 @@ references = [ ] risk_score = 47 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -44,6 +41,9 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 703f60c83..c74c84f28 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/03/30" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -14,9 +16,12 @@ from = "now-9m" index = [ "winlogbeat-*", "logs-endpoint.events.process-*", - "logs-windows.*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -71,14 +76,6 @@ This rule looks for commonly abused built-in utilities spawned by a PDF reader p """ risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -90,6 +87,9 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 8a48048d3..028f8db6e 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/08/14" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies suspicious psexec activity which is executing from the psexec service evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Process Execution via Renamed PsExec Executable" @@ -48,14 +48,6 @@ This rule identifies instances where the PsExec service component is executed us """ risk_score = 47 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -67,6 +59,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index d78eeec7d..e286722d3 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [transform] [[transform.osquery]] @@ -48,9 +50,12 @@ from = "now-9m" index = [ "winlogbeat-*", "logs-endpoint.events.process-*", - "logs-windows.*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -114,14 +119,6 @@ When users double-click CHM files, the HTML Help executable program (`hh.exe`) w """ risk_score = 47 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -132,6 +129,9 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 7398ebd3c..59d141bed 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/08/17" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Detects when the Console Window Host (conhost.exe) process is spawned by a suspi indicative of code injection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Conhost Spawned By Suspicious Parent Process" @@ -68,14 +70,6 @@ references = [ ] risk_score = 73 rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -88,6 +82,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql"