[Rule Tuning] Improve Detection Compatibility with Non-English Logs (#4410)

* [Rule Tuning] Improve Detection Compatibility with Non-English Logs * Update rules/windows/persistence_dontexpirepasswd_account.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update credential_access_disable_kerberos_preauth.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2025-01-23 16:12:42 -03:00
parent d6f1a75f11
commit fccfafea6b
20 changed files with 67 additions and 61 deletions
@@ -2,7 +2,7 @@
 creation_date = "2024/03/26"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -64,8 +64,8 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and
-    event.code == "5137" and startsWith(winlog.event_data.ObjectDN, "DC=*,")
+any where host.os.type == "windows" and event.code == "5137" and
+    startsWith(winlog.event_data.ObjectDN, "DC=*,")
 '''
 note = """## Triage and analysis

@@ -2,7 +2,7 @@
 creation_date = "2024/06/03"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -61,8 +61,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and
-    event.code == "5137" and winlog.event_data.ObjectDN : "DC=wpad,*"
+any where host.os.type == "windows" and event.code == "5137" and winlog.event_data.ObjectDN : "DC=wpad,*"
 '''
 note = """## Triage and analysis

@@ -2,7 +2,7 @@
 creation_date = "2022/12/19"
 integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2024/10/28"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -97,8 +97,8 @@ timestamp_override = "event.ingested"
 type = "new_terms"

 query = '''
-event.action:("Directory Service Access" or "object-operation-performed") and event.code:"4662" and
- winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
+event.code:"4662" and winlog.event_data.Properties:(
+                               *DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
                               *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
                               *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and
 not winlog.event_data.SubjectUserName:(*$ or MSOL_*)
@@ -2,7 +2,7 @@
 creation_date = "2022/02/08"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -98,8 +98,8 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-any where event.action : ("Directory Service Access", "object-operation-performed") and
-  event.code == "4662" and winlog.event_data.Properties : (
+any where event.code == "4662" and
+  winlog.event_data.Properties : (

    /* Control Access Rights/Permissions Symbol */

@@ -2,7 +2,7 @@
 creation_date = "2024/07/10"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -85,7 +85,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and
+event.code:"5136" and
  winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
  winlog.event_data.AttributeValue : (
    (
@@ -2,7 +2,7 @@
 creation_date = "2022/01/24"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2024/10/28"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -15,7 +15,7 @@ cracking attacks such as AS-REP roasting.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Kerberos Pre-authentication Disabled for User"
 note = """## Triage and analysis
@@ -83,10 +83,11 @@ tags = [
    "Data Source: System",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"

 query = '''
-event.code:4738 and winlog.api:"wineventlog" and message:"'Don't Require Preauth' - Enabled"
+any where host.os.type == "windows" and event.code == "4738" and
+  winlog.event_data.NewUACList == "USER_DONT_REQUIRE_PREAUTH"
 '''


@@ -2,7 +2,7 @@
 creation_date = "2024/03/26"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -64,8 +64,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and
-    event.code == "5137" and winlog.event_data.ObjectClass == "dnsNode" and
+any where host.os.type == "windows" and event.code == "5137" and winlog.event_data.ObjectClass == "dnsNode" and
    not winlog.event_data.SubjectUserName : "*$"
 '''
 note = """## Triage and analysis
@@ -2,7 +2,7 @@
 creation_date = "2022/11/09"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -56,7 +56,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and
+any where event.code == "4662" and

  not winlog.event_data.SubjectUserSid : "S-1-5-18" and

@@ -2,7 +2,7 @@
 creation_date = "2022/02/16"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -145,7 +145,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-any where event.action == "File System" and event.code == "4656" and
+any where event.code == "4656" and

    winlog.event_data.ObjectName : (
        "?:\\Windows\\System32\\lsass.exe",
@@ -2,7 +2,7 @@
 creation_date = "2022/01/27"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2024/10/28"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -92,8 +92,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.action:"Authorization Policy Change" and event.code:4704 and
-  winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege"
+event.code:4704 and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege"
 '''


@@ -2,7 +2,7 @@
 creation_date = "2022/01/26"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2024/10/28"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -101,9 +101,9 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and
- winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and winlog.event_data.AttributeValue :B\:828* and
- not winlog.event_data.SubjectUserName: MSOL_*
+event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and
+  winlog.event_data.AttributeValue :B\:828* and
+  not winlog.event_data.SubjectUserName: MSOL_*
 '''


@@ -2,7 +2,7 @@
 creation_date = "2022/02/22"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2024/10/28"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -100,8 +100,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and
-  winlog.event_data.OperationType:"%%14674" and
+event.code:5136 and winlog.event_data.OperationType:"%%14674" and
  winlog.event_data.ObjectClass:"user" and
  winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName"
 '''
@@ -2,7 +2,7 @@
 creation_date = "2022/02/16"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -104,7 +104,7 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=

  /* excluding accounts with existing privileged access */
  not winlog.event_data.PrivilegeList : "SeDebugPrivilege"]
- [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"]
+ [any where event.code == "5145" and winlog.event_data.RelativeTargetName : "winreg"]
 '''


@@ -2,7 +2,7 @@
 creation_date = "2025/01/14"
 integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2025/01/14"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -87,9 +87,16 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.action : "changed-audit-config" and event.code : "4719" and host.os.type : "windows" and
- winlog.event_data.AuditPolicyChangesDescription : "Success removed" and
- winlog.event_data.SubCategory : ("Logon" or "Audit Policy Change" or "Process Creation" or "Audit Other System Events" or "Audit Security Group Management" or "Audit User Account Management")
+event.code : "4719" and host.os.type : "windows" and
+  winlog.event_data.AuditPolicyChangesDescription : "Success removed" and
+  winlog.event_data.SubCategory : (
+     "Logon" or
+     "Audit Policy Change" or
+     "Process Creation" or
+     "Audit Other System Events" or
+     "Audit Security Group Management" or
+     "Audit User Account Management"
+  )
 '''


@@ -2,7 +2,7 @@
 creation_date = "2023/01/29"
 integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -46,8 +46,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-any where event.action in ("Directory Service Access", "object-operation-performed") and
- event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and
+any where event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and
 winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000
 '''
 note = """## Triage and analysis
@@ -2,7 +2,7 @@
 creation_date = "2022/01/31"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -41,8 +41,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and
-  winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*
+event.code:5136 and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*
 '''
 note = """## Triage and analysis

@@ -2,7 +2,7 @@
 creation_date = "2022/02/22"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2024/10/28"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -23,7 +23,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Account Configured with Never-Expiring Password"
 note = """## Triage and analysis
@@ -75,11 +75,17 @@ tags = [
    "Data Source: System",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"

 query = '''
-event.action:"modified-user-account" and winlog.api:"wineventlog" and event.code:"4738" and
-  message:"'Don't Expire Password' - Enabled" and not user.id:"S-1-5-18"
+any where host.os.type == "windows" and
+(
+  (event.code == "4738" and winlog.event_data.NewUACList == "USER_DONT_EXPIRE_PASSWORD") or
+  (
+    event.code == "5136" and winlog.event_data.AttributeLDAPDisplayName == "userAccountControl" and
+    winlog.event_data.AttributeValue in ("66048", "66080")
+  )
+)
 '''


@@ -2,7 +2,7 @@
 creation_date = "2022/01/27"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -54,8 +54,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-iam where event.action == "modified-user-account" and event.code == "4738" and
-  winlog.event_data.AllowedToDelegateTo : "*krbtgt*"
+iam where event.code == "4738" and winlog.event_data.AllowedToDelegateTo : "*krbtgt*"
 '''
 note = """## Triage and analysis

@@ -2,7 +2,7 @@
 creation_date = "2022/02/24"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -101,8 +101,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-any where event.action in ("Directory Service Changes", "directory-service-object-modified") and
-  event.code == "5136" and
+any where event.code == "5136" and
  winlog.event_data.AttributeLDAPDisplayName : "dSHeuristics" and
  length(winlog.event_data.AttributeValue) > 15 and
  winlog.event_data.AttributeValue regex~ "[0-9]{15}([1-9a-f]).*"
@@ -2,7 +2,7 @@
 creation_date = "2022/11/09"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -57,8 +57,8 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and
-  winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and winlog.event_data.OperationType:"%%14674" and
+event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and
+  winlog.event_data.OperationType:"%%14674" and
  not winlog.event_data.SubjectUserSid : "S-1-5-18"
 '''
 note = """## Triage and analysis