From fcc8aaaf63ee8f736c4f6478de372c149889337a Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 9 Aug 2024 12:46:33 -0300 Subject: [PATCH] [Rule Tuning] Fix missing Winlogbeat index (#3976) * [Rule Tuning] Fix missing Winlogbeat index * bump --- ...mand_and_control_google_drive_malicious_file_download.toml | 4 ++-- .../credential_access_forced_authentication_pipes.toml | 4 ++-- rules/windows/credential_access_dollar_account_relay.toml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml index dc4354ad6..cde6a30ff 100644 --- a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml +++ b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/19" integration = ["endpoint", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/08/09" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ "Legitimate publicly shared files from Google Drive.", ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint*", "logs-system.security*"] +index = ["auditbeat-*", "logs-endpoint*", "logs-system.security*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Suspicious File Downloaded from Google Drive" diff --git a/rules/cross-platform/credential_access_forced_authentication_pipes.toml b/rules/cross-platform/credential_access_forced_authentication_pipes.toml index fa00f333d..aa81bb500 100644 --- a/rules/cross-platform/credential_access_forced_authentication_pipes.toml +++ b/rules/cross-platform/credential_access_forced_authentication_pipes.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/23" integration = ["endpoint", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/08/09" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies a potential forced authentication using related SMB named pipes. Atta authenticate to a host controlled by them to capture hashes or enable relay attacks. """ from = "now-9m" -index = ["logs-endpoint.events.network-*", "logs-system.security*"] +index = ["logs-endpoint.events.network-*", "logs-system.security-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Active Directory Forced Authentication from Linux Host - SMB Named Pipes" diff --git a/rules/windows/credential_access_dollar_account_relay.toml b/rules/windows/credential_access_dollar_account_relay.toml index 7782fe523..cfc330fca 100644 --- a/rules/windows/credential_access_dollar_account_relay.toml +++ b/rules/windows/credential_access_dollar_account_relay.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/08/09" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ domain controller computer account coming from other hosts to the DC that owns t hash after capturing it using forced authentication. """ from = "now-9m" -index = ["logs-system.security*", "logs-windows.forwarded*"] +index = ["logs-system.security-*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Relay Attack against a Domain Controller"