[Rule Tuning] 3rd Party EDR Compatibility - 9 (#4034)

* [Rule Tuning] 3rd Party EDR Compatibility - 9

* min_stack for merge, bump updated_date

(cherry picked from commit 8938f09)

Author: w0rk3r

rules/windows/defense_evasion_wsl_registry_modification.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2023/01/12"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/05"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +13,14 @@ Detects changes to the registry that indicates the install of a new Windows Subs
 Adversaries may enable and use WSL for Linux to avoid detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = [
+    "winlogbeat-*",
+    "logs-endpoint.events.registry-*",
+    "logs-windows.sysmon_operational-*",
+    "endgame-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*"
+]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Subsystem for Linux Distribution Installed"
@@ -64,6 +73,8 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne",
 ]
 timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799"
 timeline_title = "Comprehensive Registry Timeline"
@@ -72,9 +83,7 @@ type = "eql"
 
 query = '''
 registry where host.os.type == "windows" and event.type == "change" and registry.value : "PackageFamilyName" and
- registry.path : 
-       ("HK*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Lxss\\*\\PackageFamilyName",
-        "\\REGISTRY\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Lxss\\*\\PackageFamilyName")
+ registry.path : "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Lxss\\*\\PackageFamilyName"
 '''
 
 

rules/windows/discovery_adfind_command_activity.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/10/19"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
 [rule]
 author = ["Elastic"]
@@ -15,9 +17,12 @@ from = "now-9m"
 index = [
     "logs-endpoint.events.process-*",
     "winlogbeat-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -67,14 +72,6 @@ references = [
 ]
 risk_score = 21
 rule_id = "eda499b8-a073-4e35-9733-22ec71f57f3a"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "low"
 tags = [
     "Domain: Endpoint",
@@ -85,6 +82,9 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/discovery_admin_recon.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/12/04"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
 
 [rule]
 author = ["Elastic"]
@@ -14,9 +14,10 @@ from = "now-9m"
 index = [
     "logs-endpoint.events.process-*",
     "winlogbeat-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -55,14 +56,6 @@ This rule looks for the execution of the `net` and `wmic` utilities to enumerate
 """
 risk_score = 21
 rule_id = "871ea072-1b71-4def-b016-6278b505138d"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "low"
 tags = [
     "Domain: Endpoint",
@@ -73,6 +66,7 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2023/01/27"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
 [rule]
 author = ["Elastic"]
@@ -18,9 +20,12 @@ from = "now-9m"
 index = [
     "winlogbeat-*",
     "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -72,6 +77,9 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Elastic Defend",
     "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2022/05/31"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
 
 [rule]
 author = ["Elastic"]
@@ -21,9 +21,11 @@ from = "now-9m"
 index = [
     "winlogbeat-*",
     "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -75,6 +77,8 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Elastic Defend",
     "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/discovery_group_policy_object_discovery.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2023/01/18"
-integration = ["windows", "endpoint"]
+integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
 [rule]
 author = ["Elastic"]
@@ -15,9 +17,12 @@ from = "now-9m"
 index = [
     "winlogbeat-*",
     "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -66,6 +71,9 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/discovery_peripheral_device.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/02"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
 [rule]
 author = ["Elastic"]
@@ -14,9 +16,12 @@ from = "now-9m"
 index = [
     "winlogbeat-*",
     "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -52,14 +57,6 @@ This rule looks for the execution of the `fsutil` utility with the `fsinfo` subc
 """
 risk_score = 21
 rule_id = "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "low"
 tags = [
     "Domain: Endpoint",
@@ -70,6 +67,9 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/12/14"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/07"
+updated_date = "2024/10/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 
 [rule]
 author = ["Elastic"]
@@ -14,9 +16,12 @@ from = "now-9m"
 index = [
     "winlogbeat-*",
     "logs-endpoint.events.process-*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -27,14 +32,6 @@ references = [
 ]
 risk_score = 47
 rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "medium"
 tags = [
     "Domain: Endpoint",
@@ -45,6 +42,9 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"