++

Author: w0rk3r

rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml

@@ -93,12 +93,14 @@ from logs-azure.auditlogs-* metadata _id, _version, _index
   azure.auditlogs.operation_name != "Set directory feature on tenant"
   and azure.auditlogs.properties.initiated_by.user.userPrincipalName rlike ".+@[A-Za-z0-9.]+\\.[A-Za-z]{2,}"
 | keep
-    _id,
     @timestamp,
     azure.*,
     client.*,
     event.*,
-    source.*
+    source.*,
+    _id,
+    _version,
+    _index
 '''
 
 

rules/windows/defense_evasion_posh_obfuscation_backtick.toml

@@ -111,6 +111,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.sequence,
     powershell.total,
     _id,
+    _version,
     _index,
     host.name,
     agent.id,

rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml

@@ -109,6 +109,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.sequence,
     powershell.total,
     _id,
+    _version,
     _index,
     host.name,
     agent.id,

rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml

@@ -110,6 +110,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.sequence,
     powershell.total,
     _id,
+    _version,
     _index,
     host.name,
     agent.id,

rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml

@@ -106,6 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.sequence,
     powershell.total,
     _id,
+    _version,
     _index,
     host.name,
     agent.id,

rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml

@@ -112,6 +112,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.sequence,
     powershell.total,
     _id,
+    _version,
     _index,
     host.name,
     agent.id,

rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml

@@ -111,6 +111,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.sequence,
     powershell.total,
     _id,
+    _version,
     _index,
     host.name,
     agent.id,

rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml

@@ -113,6 +113,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.sequence,
     powershell.total,
     _id,
+    _version,
     _index,
     host.name,
     agent.id,

rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml

@@ -113,6 +113,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.sequence,
     powershell.total,
     _id,
+    _version,
     _index,
     host.name,
     agent.id,

rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml

@@ -109,6 +109,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.sequence,
     powershell.total,
     _id,
+    _version,
     _index,
     agent.id