[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 3 (#4222)

(cherry picked from commit 2b6116e)

Author: w0rk3r

rules/windows/defense_evasion_masquerading_trusted_directory.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/18"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -23,6 +23,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -41,13 +42,17 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  process.executable : "C:\\*Program*Files*\\*.exe" and
+  process.executable : (
+    "C:\\*Program*Files*\\*.exe",
+    "\\Device\\HarddiskVolume?\\*Program*Files*\\*.exe"
+  ) and
   not process.executable : (
         "?:\\Program Files\\*.exe",
         "?:\\Program Files (x86)\\*.exe",
@@ -56,6 +61,18 @@ process where host.os.type == "windows" and event.type == "start" and
         "?:\\Windows\\Downloaded Program Files\\*.exe",
         "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
         "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
+  ) and
+  not (
+    event.dataset == "crowdstrike.fdr" and
+      process.executable : (
+        "\\Device\\HarddiskVolume?\\Program Files\\*.exe",
+        "\\Device\\HarddiskVolume?\\Program Files (x86)\\*.exe",
+        "\\Device\\HarddiskVolume?\\Users\\*.exe",
+        "\\Device\\HarddiskVolume?\\ProgramData\\*.exe",
+        "\\Device\\HarddiskVolume?\\Windows\\Downloaded Program Files\\*.exe",
+        "\\Device\\HarddiskVolume?\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
+        "\\Device\\HarddiskVolume?\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
+      )
   )
 '''
 

rules/windows/defense_evasion_wsl_child_process.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/01/12"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -21,6 +21,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -39,6 +40,7 @@ tags = [
     "Data Source: System",
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -53,7 +55,19 @@ process where host.os.type == "windows" and event.type : "start" and
         "?:\\Windows\\System32\\conhost.exe",
         "?:\\Windows\\System32\\lxss\\wslhost.exe",
         "?:\\Windows\\System32\\WerFault.exe",
-        "?:\\Windows\\Sys*\\wslconfig.exe"
+        "?:\\Windows\\Sys?????\\wslconfig.exe"
+  ) and
+  not (
+    event.dataset == "crowdstrike.fdr" and
+      process.executable : (
+        "\\Device\\HarddiskVolume?\\Program Files (x86)\\*",
+        "\\Device\\HarddiskVolume?\\Program Files\\*",
+        "\\Device\\HarddiskVolume?\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe",
+        "\\Device\\HarddiskVolume?\\Windows\\System32\\conhost.exe",
+        "\\Device\\HarddiskVolume?\\Windows\\System32\\lxss\\wslhost.exe",
+        "\\Device\\HarddiskVolume?\\Windows\\System32\\WerFault.exe",
+        "\\Device\\HarddiskVolume?\\Windows\\Sys?????\\wslconfig.exe"
+      )
   )
 '''
 

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/12/14"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -45,6 +46,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/execution_enumeration_via_wmiprvse.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/01/19"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -40,6 +41,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/execution_initial_access_foxmail_exploit.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2024/08/29"
-integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,8 @@ index = [
     "logs-windows.sysmon_operational-*",
     "logs-sentinel_one_cloud_funnel.*",
     "logs-m365_defender.event-*", 
-    "logs-endpoint.events.process-*"
+    "logs-endpoint.events.process-*", 
+    "logs-crowdstrike.fdr*"
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -42,15 +43,15 @@ tags = [
     "Data Source: System", 
     "Data Source: Elastic Endgame",
     "Data Source: SentinelOne",
-    "Data Source: Microsoft Defender for Endpoint"
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Crowdstrike"
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and 
  process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*")
-
 '''
 
 

rules/windows/execution_mofcomp.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/08/23"
-integration = ["endpoint", "m365_defender", "system"]
+integration = ["endpoint", "m365_defender", "system", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/31"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ files to build their own namespaces and classes into the Windows Management Inst
 establish persistence using WMI Event Subscription.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*"]
+index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*", "logs-crowdstrike.fdr*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Mofcomp Activity"
@@ -28,6 +28,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Elastic Endgame",
     "Data Source: System",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/execution_suspicious_cmd_wmi.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/10/19"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -44,6 +45,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/execution_suspicious_pdf_reader.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/03/30"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/17"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -22,6 +22,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -90,6 +91,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/execution_via_compiled_html_file.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/10/31"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -56,6 +56,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -132,6 +133,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/execution_via_mmc_console_file_unusual_path.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2024/06/19"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2024/10/17"
+updated_date = "2024/10/31"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies attempts to open a Microsoft Management Console File from untrusted p
 MSC files for initial access and execution.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
+index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Management Console File from Unusual Path"
@@ -31,14 +31,24 @@ tags = [
     "Data Source: SentinelOne",
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: System",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  process.executable : "?:\\Windows\\System32\\mmc.exe" and process.args : "*.msc" and
-  not process.args : ("?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", "?:\\Program Files (x86)\\*.msc")
+  process.executable : (
+    "?:\\Windows\\System32\\mmc.exe",
+    "\\Device\\HarddiskVolume?\\Windows\\System32\\mmc.exe"
+  ) and
+  process.args : "*.msc" and
+  not process.args : (
+        "?:\\Windows\\System32\\*.msc",
+        "?:\\Windows\\SysWOW64\\*.msc",
+        "?:\\Program files\\*.msc",
+        "?:\\Program Files (x86)\\*.msc"
+  )
 '''