Merge branch 'main' into prep-for-next-release-8.17

Author: shashank-elastic

.github/workflows/version-code-and-release.yml

@@ -64,7 +64,7 @@ jobs:
             fi
           fi
 
-  release_drafter:
+  tag_and_draft_release:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     permissions:
@@ -73,6 +73,19 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Set github config
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "protectionsmachine"
+
+      - name: Extract version from pyproject.toml and create tag
+        id: extract_version
+        run: |
+          version=$(grep '^version = ' pyproject.toml | cut -d '"' -f2)
+          echo "Detected version: $version"
+          git tag -a "dev-v$version" -m "Release version $version"
+          git push origin "v$version"
+
       - name: Run Release Drafter
         uses: release-drafter/release-drafter@v6
         with:

docs/versioning.md

@@ -80,6 +80,8 @@ Increment the patch version when making bug fixes, performance improvements, or
   - Small performance tweaks for the hunting rule management.
 - **Docs Folder**:
   - Updates to documentation.
+- **JSON Schemas**:
+  - Recurring update to schema definitions that don't break compatibility (not .py schema updates).
 
 </p>
 </details>
@@ -140,7 +142,7 @@ Increment the major version when introducing backward-incompatible changes that
 
 ## Tagging Process
 
-Each release will be tagged using the following format:
+Each pyproject.toml update will be tagged using the following format:
 - **Tag Format**: `dev-vX.Y.Z` (e.g., `dev-v1.2.0`).
 - **Single Tag for Combined Releases**: If there are changes to the core detection-rules code or libraries (`kql`, `kibana`), they will be tagged together as a single release with the core detection-rules versioning.
 - **Hunting Folder**: Changes to the hunting logic will be included in the combined release.
@@ -151,11 +153,11 @@ Each release will be tagged using the following format:
 
 ## When to Trigger a GitHub Release
 
-A draft release will be triggered in the following cases:
+A draft release will be triggered on all version updates. For example, in the following cases:
 - **New Feature or Bug Fix**: Once a feature or bug fix is merged into `main`, a version bump is made according to the semantic versioning rules.
 - **Version Bump**: After the version bump, a GitHub release will be created using **release-drafter** CI workflow to automate draft release generation.
 
 As pull requests are merged, a draft release is kept up-to-date listing the changes, ready to publish quarterly.
 
 > [!IMPORTANT]
-> Proper PR labels need to be added for this to properly be labeled and added to the draft.
+> Releases are published on minor and major version bumps at a minimum. Prior to publishing, the release notes should be reviewed and updated with any additional information, or remove any unnecessary details not related to code changes (which may occur due to release-drafter pulling in all commits).

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "0.1.1"
+version = "0.1.2"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/windows/credential_access_suspicious_lsass_access_generic.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/22"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/21"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -51,14 +51,25 @@ process where host.os.type == "windows" and event.code == "10" and
         "?:\\Windows\\LTSvc\\LTSVC.exe",
         "?:\\Windows\\Sysmon.exe",
         "?:\\Windows\\Sysmon64.exe",
+        "C:\\Windows\\CynetMS.exe",
         "?:\\Windows\\system32\\csrss.exe",
         "?:\\Windows\\System32\\lsm.exe",
         "?:\\Windows\\system32\\MRT.exe",
         "?:\\Windows\\System32\\msiexec.exe",
         "?:\\Windows\\system32\\wbem\\wmiprvse.exe",
         "?:\\Windows\\system32\\wininit.exe",
         "?:\\Windows\\SystemTemp\\GUM*.tmp\\GoogleUpdate.exe",
-        "?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe"
+        "?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe", 
+        "C:\\oracle\\64\\02\\instantclient_19_13\\sqlplus.exe", 
+        "C:\\oracle\\64\\02\\instantclient_19_13\\sqlldr.exe",
+        "d:\\oracle\\product\\19\\dbhome1\\bin\\ORACLE.EXE",
+        "C:\\wamp\\bin\\apache\\apache*\\bin\\httpd.exe",
+        "C:\\Windows\\system32\\netstat.exe", 
+        "C:\\PROGRA~1\\INFORM~1\\apps\\jdk\\*\\jre\\bin\\java.exe", 
+        "C:\\PROGRA~2\\CyberCNSAgentV2\\osqueryi.exe",
+        "C:\\Utilityw2k19\\packetbeat\\packetbeat.exe",
+        "C:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\Temp\\CloudUpdate\\vpndownloader.exe", 
+        "C:\\ProgramData\\Cisco\\Cisco Secure Client\\Temp\\CloudUpdate\\vpndownloader.exe"
   ) and
   not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*")
 '''

rules/windows/credential_access_wbadmin_ntds.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/06/05"
-integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -43,6 +44,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/credential_access_wireless_creds_dumping.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2022/11/01"
-integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -45,6 +45,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -110,6 +111,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -45,6 +45,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -118,6 +119,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
 timeline_title = "Comprehensive Process Timeline"

rules/windows/defense_evasion_clearing_windows_console_history.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/11/22"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -64,14 +65,6 @@ references = [
 ]
 risk_score = 47
 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "medium"
 tags = [
     "Domain: Endpoint",
@@ -86,16 +79,22 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name == "PowerShell.EXE") and
-     (process.args : "*Clear-History*" or
-     (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or
-     (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*"))
+  (
+    process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
+    ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
+  ) and
+  (
+    process.args : "*Clear-History*" or
+    (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or
+    (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*")
+  )
 '''
 
 

rules/windows/defense_evasion_clearing_windows_event_logs.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -74,6 +75,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -86,7 +88,10 @@ process where host.os.type == "windows" and event.type == "start" and
     process.args : ("/e:false", "cl", "clear-log")
   ) or
   (
-    process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and
+    (
+      process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
+      ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
+    ) and
     process.args : "Clear-EventLog"
   )
 )

rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/01/31"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -41,6 +41,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -108,6 +109,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"