[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 4 (#4225)

(cherry picked from commit 63956a6)

Author: w0rk3r

rules/windows/execution_windows_powershell_susp_args.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2024/09/06"
-integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,8 @@ index = [
     "logs-system.security*",
     "logs-windows.sysmon_operational-*",
     "logs-sentinel_one_cloud_funnel.*",
-    "logs-m365_defender.event-*"
+    "logs-m365_defender.event-*",
+    "logs-crowdstrike.fdr*"
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -35,7 +36,8 @@ tags = [
     "Data Source: System",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
-    "Data Source: Microsoft Defender for Endpoint"
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Crowdstrike"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/07/19"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -103,6 +104,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/initial_access_execution_from_inetcache.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/02/14"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -44,15 +45,21 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and  
- process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and
-  (process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
-   process.executable : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*")
+  process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and
+  (
+    process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
+    process.executable : (
+      "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*",
+      "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*"
+    )
+  )
 '''
 
 

rules/windows/initial_access_suspicious_ms_exchange_process.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/03/04"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -28,6 +28,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -52,23 +53,34 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
   process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and
-    not process.executable :
-              ("?:\\Windows\\System32\\werfault.exe",
-               "?:\\Windows\\System32\\wermgr.exe",
-               "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
-               "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
-               "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
-               "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
-               "D:\\Exchange\\Bin\\UMWorkerProcess.exe",
-               "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe",
-               "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe")
+    not process.executable : (
+          "?:\\Windows\\System32\\werfault.exe",
+          "?:\\Windows\\System32\\wermgr.exe",
+          "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
+          "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
+          "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
+          "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
+          "D:\\Exchange\\Bin\\UMWorkerProcess.exe",
+          "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe",
+          "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\Windows\\System32\\werfault.exe",
+          "\\Device\\HarddiskVolume?\\Windows\\System32\\wermgr.exe",
+          "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\Exchange\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\Exchange Server\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume?\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe"
+    )
 '''
 
 

rules/windows/initial_access_suspicious_ms_office_child_process.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -23,6 +23,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -92,6 +93,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe
 phishing activity.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious MS Outlook Child Process"
@@ -66,16 +66,8 @@ This rule looks for suspicious processes spawned by MS Outlook, which can be the
 """
 risk_score = 21
 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", "Data Source: Crowdstrike"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/lateral_movement_execution_from_tsclient_mup.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/11"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/17"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -44,6 +45,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/04"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -41,6 +42,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/lateral_movement_unusual_dns_service_children.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/07/16"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/17"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -29,6 +29,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -91,6 +92,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/12/15"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -23,6 +23,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -46,6 +47,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"