[Rule Tuning] 3rd Party EDR Compatibility - 4 (#4021)
* [Rule Tuning] 3rd Party EDR Compatibility - 4 * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * bump updated_date to 8.16 release date * min_stack for merge, bump updated_date
This commit is contained in:
Jonhnathan
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2021/02/01"
|
||||
integration = ["endpoint", "windows"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/08/05"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -13,7 +15,7 @@ certificate would allow an attacker the ability to masquerade malicious files as
|
||||
"""
|
||||
false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."]
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Creation or Modification of Root Certificate"
|
||||
@@ -68,14 +70,6 @@ references = [
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4"
|
||||
setup = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
||||
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
||||
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
||||
`event.ingested` to @timestamp.
|
||||
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
||||
"""
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
@@ -86,6 +80,8 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
@@ -101,7 +97,11 @@ registry where host.os.type == "windows" and event.type == "change" and registry
|
||||
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
|
||||
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
|
||||
"\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
|
||||
"\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob"
|
||||
"\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
|
||||
"MACHINE\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
|
||||
"MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
|
||||
"MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
|
||||
"MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob"
|
||||
) and
|
||||
not process.executable : (
|
||||
"?:\\ProgramData\\Lenovo\\Vantage\\Addins\\LenovoHardwareScanAddin\\*\\LdeApi.Server.exe",
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/23"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "windows", "m365_defender"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/08/07"
|
||||
updated_date = "2024/11/07"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Identifies modifications to the Windows Defender registry settings to disable th
|
||||
started manually.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
|
||||
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Windows Defender Disabled via Registry Modification"
|
||||
@@ -55,14 +55,6 @@ This rule monitors the registry for configurations that disable Windows Defender
|
||||
references = ["https://thedfirreport.com/2020/12/13/defender-control/"]
|
||||
risk_score = 21
|
||||
rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb"
|
||||
setup = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
||||
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
||||
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
||||
`event.ingested` to @timestamp.
|
||||
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
||||
"""
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
@@ -73,6 +65,7 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2021/07/20"
|
||||
integration = ["endpoint", "windows", "system"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/09/23"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -14,9 +16,12 @@ from = "now-9m"
|
||||
index = [
|
||||
"winlogbeat-*",
|
||||
"logs-endpoint.events.process-*",
|
||||
"logs-windows.*",
|
||||
"logs-windows.forwarded*",
|
||||
"logs-windows.sysmon_operational-*",
|
||||
"endgame-*",
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -76,14 +81,6 @@ references = [
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b"
|
||||
setup = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
||||
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
||||
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
||||
`event.ingested` to @timestamp.
|
||||
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
@@ -94,6 +91,9 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: System",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
integration = ["endpoint", "windows", "system"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/08/07"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -14,9 +16,12 @@ from = "now-9m"
|
||||
index = [
|
||||
"winlogbeat-*",
|
||||
"logs-endpoint.events.process-*",
|
||||
"logs-windows.*",
|
||||
"logs-windows.forwarded*",
|
||||
"logs-windows.sysmon_operational-*",
|
||||
"endgame-*",
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -65,6 +70,9 @@ tags = [
|
||||
"Resources: Investigation Guide",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: System",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/08/25"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -14,7 +16,7 @@ enable persistence methods that require access to the Windows sign-in screen wit
|
||||
Accessibility Features persistence methods, like Sticky Keys.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.registry-*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Network-Level Authentication (NLA) Disabled"
|
||||
@@ -31,16 +33,20 @@ tags = [
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Sysmon",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
registry where host.os.type == "windows" and event.action != "deletion" and
|
||||
registry.path :
|
||||
("HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication",
|
||||
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" ) and
|
||||
registry.data.strings : "0"
|
||||
registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "UserAuthentication" and
|
||||
registry.path : (
|
||||
"HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication",
|
||||
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication",
|
||||
"MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication"
|
||||
) and registry.data.strings : ("0", "0x00000000")
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2022/01/31"
|
||||
integration = ["endpoint", "windows"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +13,7 @@ Identifies attempts to disable PowerShell Script Block Logging via registry modi
|
||||
logging to conceal their activities in the host and evade detection.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "PowerShell Script Block Logging Disabled"
|
||||
@@ -70,6 +72,8 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
@@ -78,7 +82,8 @@ query = '''
|
||||
registry where host.os.type == "windows" and event.type == "change" and
|
||||
registry.path : (
|
||||
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging",
|
||||
"\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging"
|
||||
"\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging",
|
||||
"MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging"
|
||||
) and registry.data.strings : ("0", "0x00000000")
|
||||
'''
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
integration = ["endpoint", "windows", "system"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/08/07"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -14,9 +16,12 @@ from = "now-9m"
|
||||
index = [
|
||||
"winlogbeat-*",
|
||||
"logs-endpoint.events.process-*",
|
||||
"logs-windows.*",
|
||||
"logs-windows.forwarded*",
|
||||
"logs-windows.sysmon_operational-*",
|
||||
"endgame-*",
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -53,14 +58,6 @@ This rule identifies patterns related to disabling the Windows firewall or its r
|
||||
"""
|
||||
risk_score = 47
|
||||
rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9"
|
||||
setup = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
||||
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
||||
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
||||
`event.ingested` to @timestamp.
|
||||
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
@@ -71,6 +68,9 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: System",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2021/07/07"
|
||||
integration = ["endpoint", "windows"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/09/23"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,9 +14,12 @@ from = "now-9m"
|
||||
index = [
|
||||
"winlogbeat-*",
|
||||
"logs-endpoint.events.process-*",
|
||||
"logs-windows.*",
|
||||
"logs-windows.forwarded*",
|
||||
"logs-windows.sysmon_operational-*",
|
||||
"endgame-*",
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -63,14 +68,6 @@ references = [
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87"
|
||||
setup = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
||||
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
||||
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
||||
`event.ingested` to @timestamp.
|
||||
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
@@ -82,6 +79,9 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: System",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2021/05/06"
|
||||
integration = ["endpoint", "windows", "system"]
|
||||
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/08/07"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Ivan Ninichuck", "Austin Songer"]
|
||||
@@ -14,9 +16,12 @@ from = "now-9m"
|
||||
index = [
|
||||
"winlogbeat-*",
|
||||
"logs-endpoint.events.process-*",
|
||||
"logs-windows.*",
|
||||
"logs-windows.forwarded*",
|
||||
"logs-windows.sysmon_operational-*",
|
||||
"endgame-*",
|
||||
"logs-system.security*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -58,14 +63,6 @@ references = [
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc"
|
||||
setup = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
||||
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
||||
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
||||
`event.ingested` to @timestamp.
|
||||
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
||||
"""
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
@@ -76,6 +73,9 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: System",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2021/07/22"
|
||||
integration = ["endpoint", "windows"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/08/05"
|
||||
updated_date = "2024/10/10"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
|
||||
[rule]
|
||||
author = ["Austin Songer"]
|
||||
@@ -12,7 +14,7 @@ data. With this enabled, an organization will lose visibility into data such as
|
||||
IP, which are used to determine bad actors.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "DNS-over-HTTPS Enabled via Registry"
|
||||
@@ -22,14 +24,6 @@ references = [
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04"
|
||||
setup = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
||||
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
||||
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
||||
`event.ingested` to @timestamp.
|
||||
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
||||
"""
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
@@ -39,6 +33,8 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
@@ -46,11 +42,11 @@ type = "eql"
|
||||
query = '''
|
||||
registry where host.os.type == "windows" and event.type == "change" and
|
||||
(registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and
|
||||
registry.data.strings : "1") or
|
||||
registry.data.strings : ("1", "0x00000001")) or
|
||||
(registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and
|
||||
registry.data.strings : "secure") or
|
||||
(registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and
|
||||
registry.data.strings : "1")
|
||||
registry.data.strings : ("1", "0x00000001"))
|
||||
'''
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user