[Rule Tuning] 3rd Party EDR Compatibility - 18 (#4056)

* [Rule Tuning] 3rd Party EDR Compatibility - 18

* Update persistence_browser_extension_install.toml

* Update persistence_browser_extension_install.toml

* Update persistence_browser_extension_install.toml

* min_stack for merge, bump updated_date

* Update persistence_browser_extension_install.toml

(cherry picked from commit e1addc6)

Author: w0rk3r

rules/windows/command_and_control_teamviewer_remote_file_copy.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/09/02"
-integration = ["endpoint"]
+integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/06"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
 [transform]
 [[transform.osquery]]
@@ -34,7 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
 author = ["Elastic"]
 description = "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session."
 from = "now-9m"
-index = ["logs-endpoint.events.file-*"]
+index = ["logs-endpoint.events.file-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Copy via TeamViewer"
@@ -100,8 +102,8 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Command and Control",
     "Resources: Investigation Guide",
-    "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/credential_access_kerberoasting_unusual_process.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/02"
-integration = ["endpoint"]
+integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
 [transform]
 [[transform.osquery]]
@@ -42,7 +44,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.network-*"]
+index = ["logs-endpoint.events.network-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Kerberos Traffic from Unusual Process"
@@ -101,14 +103,6 @@ Domain-joined hosts usually perform Kerberos traffic using the `lsass.exe` proce
 """
 risk_score = 47
 rule_id = "897dc6b5-b39f-432a-8d75-d3730d50c782"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "medium"
 tags = [
     "Domain: Endpoint",
@@ -117,6 +111,7 @@ tags = [
     "Tactic: Credential Access",
     "Resources: Investigation Guide",
     "Data Source: Elastic Defend",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/defense_evasion_suspicious_scrobj_load.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies scrobj.dll loaded into unusual Microsoft processes. This usually mean
 executed in the target process.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
+index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Script Object Execution"
@@ -24,14 +24,15 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
     "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
     "Data Source: Sysmon",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 any where host.os.type == "windows" and 
- (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and 
+ (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and 
  (?dll.name : "scrobj.dll" or ?file.name : "scrobj.dll") and 
  process.executable : ("?:\\Windows\\System32\\*.exe", "?:\\Windows\\SysWOW64\\*.exe") and 
  not process.executable : (

rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/12/14"
-integration = ["endpoint"]
+integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +13,7 @@ false_positives = [
     "Trusted SolarWinds child processes, verify process details such as network connections and file writes.",
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "endgame-*"]
+index = ["logs-endpoint.events.process-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious SolarWinds Child Process"
@@ -21,14 +23,6 @@ references = [
 ]
 risk_score = 47
 rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "medium"
 tags = [
     "Domain: Endpoint",
@@ -37,6 +31,7 @@ tags = [
     "Tactic: Execution",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/execution_command_shell_started_by_svchost.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
 
 [transform]
 [[transform.osquery]]
@@ -33,7 +33,16 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
 author = ["Elastic"]
 description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe"
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"]
+index = [
+    "logs-endpoint.events.process-*",
+    "winlogbeat-*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "endgame-*",
+    "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+]
 language = "kuery"
 license = "Elastic License v2"
 name = "Svchost spawning Cmd"
@@ -92,23 +101,20 @@ references = [
 ]
 risk_score = 21
 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "low"
-tags = ["Domain: Endpoint",
-        "OS: Windows",
-        "Use Case: Threat Detection",
-        "Tactic: Execution",
-        "Resources: Investigation Guide",
-        "Data Source: Elastic Defend",
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
     "Data Source: System",
-        ]
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+]
 timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
 timeline_title = "Comprehensive Process Timeline"
 timestamp_override = "event.ingested"

rules/windows/exfiltration_smb_rare_destination.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/12/04"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/10"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,14 @@ This rule detects rare internet network connections via the SMB protocol. SMB is
 via rogue UNC path injection.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = [
+    "logs-endpoint.events.network-*",
+    "winlogbeat-*",
+    "logs-windows.sysmon_operational-*",
+    "endgame-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+]
 language = "kuery"
 license = "Elastic License v2"
 name = "Rare SMB Connection to the Internet"
@@ -26,7 +33,9 @@ tags = [
     "Tactic: Exfiltration",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
+    "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"

rules/windows/impact_backup_file_deletion.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2021/10/01"
-integration = ["endpoint"]
+integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +16,7 @@ false_positives = [
     "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files.",
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.file-*", "endgame-*"]
+index = ["logs-endpoint.events.file-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Third-party Backup Files Deleted via Unexpected Process"
@@ -77,6 +79,7 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/impact_high_freq_file_renames_by_kernel.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/05/03"
-integration = ["endpoint"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/05/23"
+updated_date = "2024/10/10"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,14 @@ This rule identifies a high number (20) of file creation event by the System vir
 same file name containing keywords similar to ransomware note files and all within a short time period.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.file-*"]
+index = [
+    "logs-endpoint.events.file-*",
+    "winlogbeat-*",
+    "logs-windows.sysmon_operational-*",
+    "endgame-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Ransomware Behavior - High count of Readme files by System"
@@ -62,6 +69,10 @@ tags = [
     "Tactic: Impact",
     "Resources: Investigation Guide",
     "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "threshold"

rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/03/16"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/10"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,14 @@ Identifies newly seen removable devices by device friendly name using registry m
 is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = [
+    "logs-endpoint.events.registry-*",
+    "winlogbeat-*",
+    "logs-windows.sysmon_operational-*",
+    "endgame-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+]
 language = "kuery"
 license = "Elastic License v2"
 name = "First Time Seen Removable Device"
@@ -31,6 +38,8 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"