[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 5 (#4230)
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 5 * Update collection_winrar_encryption.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
This commit is contained in:
Jonhnathan
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/04"
|
||||
integration = ["endpoint", "windows"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/10/15"
|
||||
updated_date = "2024/11/02"
|
||||
min_stack_version = "8.14.0"
|
||||
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
|
||||
|
||||
@@ -13,7 +13,14 @@ Identifies use of WinRar or 7z to create an encrypted files. Adversaries will of
|
||||
preparation for exfiltration.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
|
||||
index = [
|
||||
"logs-endpoint.events.process-*",
|
||||
"winlogbeat-*",
|
||||
"logs-windows.sysmon_operational-*",
|
||||
"endgame-*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*"
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Encrypting Files with WinRar or 7z"
|
||||
@@ -72,6 +79,9 @@ tags = [
|
||||
"Resources: Investigation Guide",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
@@ -87,7 +97,7 @@ process where host.os.type == "windows" and event.type == "start" and
|
||||
process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*")
|
||||
) or
|
||||
(
|
||||
?process.pe.original_file_name in ("7z.exe", "7za.exe") and
|
||||
(process.name : ("7z.exe", "7za.exe") or ?process.pe.original_file_name in ("7z.exe", "7za.exe")) and
|
||||
process.args == "a" and process.args : "-p*"
|
||||
)
|
||||
) and
|
||||
@@ -95,7 +105,11 @@ process where host.os.type == "windows" and event.type == "start" and
|
||||
"C:\\Program Files\\*.exe",
|
||||
"C:\\Program Files (x86)\\*.exe",
|
||||
"?:\\ManageEngine\\*\\jre\\bin\\java.exe",
|
||||
"?:\\Nox\\bin\\Nox.exe"
|
||||
"?:\\Nox\\bin\\Nox.exe",
|
||||
"\\Device\\HarddiskVolume?\\Program Files\\*.exe",
|
||||
"\\Device\\HarddiskVolume?\\Program Files (x86)\\*.exe",
|
||||
"\\Device\\HarddiskVolume?\\ManageEngine\\*\\jre\\bin\\java.exe",
|
||||
"\\Device\\HarddiskVolume?\\Nox\\bin\\Nox.exe"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
|
||||
integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
|
||||
min_stack_version = "8.14.0"
|
||||
updated_date = "2024/10/15"
|
||||
updated_date = "2024/11/02"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -34,7 +34,7 @@ Windows services typically run as SYSTEM and can be used as a privilege escalati
|
||||
testers may run a shell as a service to gain SYSTEM permissions.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "System Shells via Services"
|
||||
@@ -81,7 +81,7 @@ This rule looks for system shells being spawned by `services.exe`, which is comp
|
||||
risk_score = 47
|
||||
rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd"
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"]
|
||||
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", "Data Source: Crowdstrike"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/10/15"
|
||||
updated_date = "2024/11/02"
|
||||
min_stack_version = "8.14.0"
|
||||
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
|
||||
|
||||
@@ -22,6 +22,7 @@ index = [
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -74,14 +75,14 @@ tags = [
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Crowdstrike",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "windows" and event.type == "start" and
|
||||
process.name : ("net.exe", "net1.exe") and
|
||||
not process.parent.name : "net.exe" and
|
||||
(process.name : ("net.exe", "net1.exe") and not process.parent.name : "net.exe") and
|
||||
(process.args : "user" and process.args : ("/ad", "/add"))
|
||||
'''
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/10/15"
|
||||
updated_date = "2024/11/02"
|
||||
min_stack_version = "8.14.0"
|
||||
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
|
||||
|
||||
@@ -23,6 +23,7 @@ index = [
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -41,6 +42,7 @@ tags = [
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Crowdstrike",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/08/17"
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/10/15"
|
||||
updated_date = "2024/11/02"
|
||||
min_stack_version = "8.14.0"
|
||||
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
|
||||
|
||||
@@ -22,6 +22,7 @@ index = [
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -42,6 +43,7 @@ tags = [
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Crowdstrike",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2021/08/24"
|
||||
integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
|
||||
integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
|
||||
min_stack_version = "8.14.0"
|
||||
updated_date = "2024/10/15"
|
||||
updated_date = "2024/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -16,7 +16,7 @@ false_positives = [
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Web Shell Detection: Script Process Child of Common Web Processes"
|
||||
@@ -71,7 +71,7 @@ references = [
|
||||
risk_score = 73
|
||||
rule_id = "2917d495-59bd-4250-b395-c29409b76086"
|
||||
severity = "high"
|
||||
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon"]
|
||||
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: Crowdstrike"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/08/18"
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/10/15"
|
||||
updated_date = "2024/11/02"
|
||||
min_stack_version = "8.14.0"
|
||||
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
|
||||
|
||||
@@ -22,6 +22,7 @@ index = [
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -42,6 +43,7 @@ tags = [
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Crowdstrike",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
@@ -49,9 +51,14 @@ type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "windows" and event.type == "start" and
|
||||
process.args : "/autoclean" and process.args : "/d" and process.executable != null and
|
||||
not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe",
|
||||
"C:\\Windows\\SysWOW64\\cleanmgr.exe",
|
||||
"C:\\Windows\\System32\\taskhostw.exe")
|
||||
not process.executable : (
|
||||
"C:\\Windows\\System32\\cleanmgr.exe",
|
||||
"C:\\Windows\\SysWOW64\\cleanmgr.exe",
|
||||
"C:\\Windows\\System32\\taskhostw.exe",
|
||||
"\\Device\\HarddiskVolume?\\Windows\\System32\\cleanmgr.exe",
|
||||
"\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\cleanmgr.exe",
|
||||
"\\Device\\HarddiskVolume?\\Windows\\System32\\taskhostw.exe"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/03/17"
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/10/15"
|
||||
updated_date = "2024/11/02"
|
||||
min_stack_version = "8.14.0"
|
||||
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
|
||||
|
||||
@@ -48,6 +48,7 @@ index = [
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -122,6 +123,7 @@ tags = [
|
||||
"Data Source: System",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Crowdstrike",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
@@ -129,11 +131,14 @@ type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "windows" and event.type == "start" and
|
||||
process.parent.name : "eventvwr.exe" and
|
||||
not process.executable :
|
||||
("?:\\Windows\\SysWOW64\\mmc.exe",
|
||||
"?:\\Windows\\System32\\mmc.exe",
|
||||
"?:\\Windows\\SysWOW64\\WerFault.exe",
|
||||
"?:\\Windows\\System32\\WerFault.exe")
|
||||
not process.executable : (
|
||||
"?:\\Windows\\SysWOW64\\mmc.exe",
|
||||
"?:\\Windows\\System32\\mmc.exe",
|
||||
"?:\\Windows\\SysWOW64\\WerFault.exe",
|
||||
"?:\\Windows\\System32\\WerFault.exe",
|
||||
"?\\Device\\HarddiskVolume?\\Windows\\Sys?????\\mmc.exe",
|
||||
"?\\Device\\HarddiskVolume?\\Windows\\Sys?????\\WerFault.exe"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/10/26"
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/10/15"
|
||||
updated_date = "2024/11/02"
|
||||
min_stack_version = "8.14.0"
|
||||
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
|
||||
|
||||
@@ -48,6 +48,7 @@ index = [
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -122,6 +123,7 @@ tags = [
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Crowdstrike",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/10/15"
|
||||
updated_date = "2024/11/02"
|
||||
min_stack_version = "8.14.0"
|
||||
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
|
||||
|
||||
@@ -48,6 +48,7 @@ index = [
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -122,6 +123,7 @@ tags = [
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Crowdstrike",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
Reference in New Issue
Block a user