From 7c78e4081fbf2e79889f0a90d858efc58aa02c23 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 16 Sep 2024 11:02:46 -0300 Subject: [PATCH] [Rule Tuning] min_stack New Rules that use the S1 Integration (#4079) * [Rule Tuning] min_stack New Rules that use the S1 Integration * Update execution_windows_powershell_susp_args.toml * Update execution_initial_access_foxmail_exploit.toml --- rules/windows/defense_evasion_msiexec_child_proc_netcon.toml | 4 +++- rules/windows/execution_initial_access_foxmail_exploit.toml | 4 +++- .../windows/execution_powershell_susp_args_via_winscript.toml | 4 +++- rules/windows/execution_windows_cmd_shell_susp_args.toml | 4 +++- rules/windows/execution_windows_powershell_susp_args.toml | 4 +++- .../privilege_escalation_msi_repair_via_mshelp_link.toml | 4 +++- 6 files changed, 18 insertions(+), 6 deletions(-) diff --git a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml index c2cf0ce22..02c86e401 100644 --- a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml +++ b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml @@ -2,7 +2,9 @@ creation_date = "2024/09/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/09/09" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/09/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index bc4f76599..1e7b2bb13 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -2,7 +2,9 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2024/09/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/09/17" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index 5a8c4f4e0..058f714a9 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,7 +2,9 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2024/09/09" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/09/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index ab81b7fd3..5d000eb60 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -2,7 +2,9 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2024/09/06" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/09/16" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index 1c7bc8f80..f0fb956a3 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,7 +2,9 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2024/09/06" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/09/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml index 5db7bffb3..698914de2 100644 --- a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml +++ b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml @@ -2,7 +2,9 @@ creation_date = "2024/09/12" integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2024/09/12" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/09/16" [rule] author = ["Elastic"]