Skip to content

Commit 8df0950

Browse files
w0rk3rtradebot-elastic
w0rk3r
authored and
tradebot-elastic
committed
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020)
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 * Update defense_evasion_ms_office_suspicious_regmod.toml (cherry picked from commit b91e737)
1 parent 3ae7f37 commit 8df0950

5 files changed

+28
-33
lines changed

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2020/02/18"
3-
integration = ["endpoint", "windows"]
3+
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
44
maturity = "production"
5-
updated_date = "2025/03/20"
5+
updated_date = "2025/08/26"
66

77
[transform]
88
[[transform.osquery]]
@@ -43,6 +43,7 @@ index = [
4343
"logs-endpoint.events.process-*",
4444
"logs-endpoint.events.network-*",
4545
"logs-windows.sysmon_operational-*",
46+
"logs-sentinel_one_cloud_funnel.*",
4647
]
4748
language = "eql"
4849
license = "Elastic License v2"
@@ -111,6 +112,7 @@ tags = [
111112
"Tactic: Defense Evasion",
112113
"Resources: Investigation Guide",
113114
"Data Source: Elastic Defend",
115+
"Data Source: SentinelOne",
114116
"Data Source: Sysmon",
115117
]
116118
type = "eql"

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml

Lines changed: 12 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2022/01/12"
3-
integration = ["windows", "m365_defender", "sentinel_one_cloud_funnel"]
3+
integration = ["windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
44
maturity = "production"
5-
updated_date = "2025/03/20"
5+
updated_date = "2025/08/26"
66

77
[rule]
88
author = ["Elastic"]
@@ -18,6 +18,7 @@ index = [
1818
"endgame-*",
1919
"logs-m365_defender.event-*",
2020
"logs-sentinel_one_cloud_funnel.*",
21+
"logs-crowdstrike.fdr*",
2122
]
2223
language = "eql"
2324
license = "Elastic License v2"
@@ -82,35 +83,21 @@ tags = [
8283
"Data Source: Sysmon",
8384
"Data Source: Microsoft Defender for Endpoint",
8485
"Data Source: SentinelOne",
86+
"Data Source: Crowdstrike",
8587
]
8688
timestamp_override = "event.ingested"
8789
type = "eql"
8890

8991
query = '''
90-
registry where host.os.type == "windows" and event.type == "change" and registry.value : ("AccessVBOM", "VbaWarnings") and
91-
registry.path : (
92-
/* Sysmon */
93-
"HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM",
94-
"HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings",
95-
"HKU\\S-1-12-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM",
96-
"HKU\\S-1-12-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings",
97-
/* MDE */
98-
"HKCU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM",
99-
"HKCU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings",
100-
"HKCU\\S-1-12-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM",
101-
"HKCU\\S-1-12-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings",
102-
/* Endgame */
103-
"\\REGISTRY\\USER\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM",
104-
"\\REGISTRY\\USER\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings",
105-
"\\REGISTRY\\USER\\S-1-12-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM",
106-
"\\REGISTRY\\USER\\S-1-12-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings",
107-
/* SentinelOne */
108-
"USER\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM",
109-
"USER\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings",
110-
"USER\\S-1-12-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM",
111-
"USER\\S-1-12-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings"
112-
) and
92+
registry where host.os.type == "windows" and event.type == "change" and
93+
registry.value : ("AccessVBOM", "VbaWarnings") and
11394
registry.data.strings : ("0x00000001", "1")
95+
96+
/*
97+
Full registry key paths omitted due to data source variations:
98+
"HKCU\\S-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM"
99+
"HKCU\\S-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings"
100+
*/
114101
'''
115102

116103

rules/windows/defense_evasion_mshta_beacon.toml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2020/09/02"
3-
integration = ["endpoint", "windows"]
3+
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
44
maturity = "production"
5-
updated_date = "2025/03/20"
5+
updated_date = "2025/08/26"
66

77
[rule]
88
author = ["Elastic"]
@@ -16,6 +16,7 @@ index = [
1616
"logs-endpoint.events.network-*",
1717
"winlogbeat-*",
1818
"logs-windows.sysmon_operational-*",
19+
"logs-sentinel_one_cloud_funnel.*",
1920
]
2021
language = "eql"
2122
license = "Elastic License v2"
@@ -65,6 +66,7 @@ tags = [
6566
"Use Case: Threat Detection",
6667
"Tactic: Defense Evasion",
6768
"Data Source: Elastic Defend",
69+
"Data Source: SentinelOne",
6870
"Data Source: Sysmon",
6971
"Resources: Investigation Guide",
7072
]

rules/windows/defense_evasion_msxsl_network.toml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2020/03/18"
3-
integration = ["endpoint", "windows"]
3+
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
44
maturity = "production"
5-
updated_date = "2025/03/20"
5+
updated_date = "2025/08/26"
66

77
[rule]
88
author = ["Elastic"]
@@ -16,6 +16,7 @@ index = [
1616
"logs-endpoint.events.process-*",
1717
"logs-endpoint.events.network-*",
1818
"logs-windows.sysmon_operational-*",
19+
"logs-sentinel_one_cloud_funnel.*",
1920
]
2021
language = "eql"
2122
license = "Elastic License v2"
@@ -64,6 +65,7 @@ tags = [
6465
"Use Case: Threat Detection",
6566
"Tactic: Defense Evasion",
6667
"Data Source: Elastic Defend",
68+
"Data Source: SentinelOne",
6769
"Data Source: Sysmon",
6870
"Resources: Investigation Guide",
6971
]

rules/windows/defense_evasion_ntlm_downgrade.toml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2025/04/14"
3-
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
3+
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"]
44
maturity = "production"
5-
updated_date = "2025/07/02"
5+
updated_date = "2025/08/26"
66

77
[rule]
88
author = ["Elastic"]
@@ -17,6 +17,7 @@ index = [
1717
"logs-m365_defender.event-*",
1818
"logs-sentinel_one_cloud_funnel.*",
1919
"logs-windows.sysmon_operational-*",
20+
"logs-crowdstrike.fdr*",
2021
]
2122
language = "eql"
2223
license = "Elastic License v2"
@@ -65,6 +66,7 @@ tags = [
6566
"Data Source: Microsoft Defender for Endpoint",
6667
"Data Source: SentinelOne",
6768
"Data Source: Sysmon",
69+
"Data Source: Crowdstrike",
6870
"Resources: Investigation Guide",
6971
]
7072
timestamp_override = "event.ingested"

0 commit comments

Comments
 (0)