[Rule Tuning] Windows - Improve Index Pattern Consistency (#4462)

elastic · Feb 17, 2025 · 1517724 · 1517724
1 parent aded9de
commit 1517724
Show file tree

Hide file tree

Showing 14 changed files with 28 additions and 28 deletions.
diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/11"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/14"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Detects Inter-Process Communication with Outlook via Component Object Model from
 target user email to collect sensitive information or send email on their behalf via API.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*"]
+index = ["logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Inter-Process Communication via Outlook"

diff --git a/rules/windows/credential_access_dollar_account_relay.toml b/rules/windows/credential_access_dollar_account_relay.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/07/24"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/14"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -14,7 +14,7 @@ domain controller computer account coming from other hosts to the DC that owns t
 hash after capturing it using forced authentication.
 """
 from = "now-9m"
-index = ["logs-system.security-*", "logs-windows.forwarded*", "winlogbeat-*"]
+index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Relay Attack against a Domain Controller"

diff --git a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/10/14"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/14"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -13,7 +13,7 @@ Identifies the load of a DLL without a valid code signature by the Azure AD Sync
 to persist or collect sensitive credentials passing through the Azure AD synchronization server.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.library*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Untrusted DLL Loaded by Azure AD Sync Service"

diff --git a/rules/windows/credential_access_regback_sam_security_hives.toml b/rules/windows/credential_access_regback_sam_security_hives.toml
@@ -2,13 +2,13 @@
 creation_date = "2024/07/01"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/01"
+updated_date = "2025/02/14"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies attempts to access sensitive registry hives which contain credentials from the registry backup folder."
 from = "now-9m"
-index = ["logs-endpoint.events.file*"]
+index = ["logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Sensitive Registry Hive Access via RegBack"

diff --git a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/01/14"
 integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2025/01/22"
+updated_date = "2025/02/14"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -16,7 +16,7 @@ from = "now-9m"
 index = [
     "winlogbeat-*",
     "logs-windows.forwarded*",
-    "logs-system.security-*"
+    "logs-system.security*"
 ]
 language = "kuery"
 license = "Elastic License v2"

diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2025/01/15"
+updated_date = "2025/02/14"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ index = [
   "endgame-*",
   "logs-sentinel_one_cloud_funnel.*",
   "logs-m365_defender.event-*",
-  "logs-system.security-*",
+  "logs-system.security*",
   "logs-crowdstrike.fdr*"
 ]
 language = "eql"

diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/12/15"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/14"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -13,7 +13,7 @@ Identifies multiple Windows Filtering Platform block events and where the proces
 security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-windows.network-*", "logs-system.security*"]
+index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Evasion via Windows Filtering Platform"

diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/08/23"
 integration = ["endpoint", "m365_defender", "system", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/14"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ files to build their own namespaces and classes into the Windows Management Inst
 establish persistence using WMI Event Subscription.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*", "logs-crowdstrike.fdr*"]
+index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security*", "logs-crowdstrike.fdr*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Mofcomp Activity"

diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Mark of The Web enrichment was added to Elastic Defend file events in 8.15.0."
 min_stack_version = "8.15.0"
-updated_date = "2025/02/07"
+updated_date = "2025/02/14"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the creation of a Windows script downloaded from the internet followe
 Adversaries may use Windows script files for initial access and execution.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file-*", "logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Execution of a Downloaded Windows Script"

diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/02"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/20"
+updated_date = "2025/02/14"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies an incoming SMB connection followed by a suspicious file rename opera
 ransomware attack via the SMB protocol.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file-*", "logs-endpoint.events.network-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious File Renamed via SMB"

diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/02"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/20"
+updated_date = "2025/02/14"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies an incoming SMB connection followed by the creation of a file with a
 This may indicate a remote ransomware attack via the SMB protocol.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file-*", "logs-endpoint.events.network-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Ransomware Note File Dropped via SMB"

diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2025/01/15"
+updated_date = "2025/02/14"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ WSUS is limited to executing Microsoft signed binaries, which limits the executa
 by Microsoft.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*", "winlogbeat-*", "logs-crowdstrike.fdr*"]
+index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security*", "winlogbeat-*", "logs-crowdstrike.fdr*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential WSUS Abuse for Lateral Movement"

diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/01/07"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2025/02/14"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -14,7 +14,7 @@ that can be loaded from a different location by a native Windows process. This m
 privileges via privileged file write vulnerabilities.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.library*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious DLL Loaded for Persistence or Privilege Escalation"

diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/07/13"
 integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "system"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/14"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -14,7 +14,7 @@ higher-level directory within the path of an unquoted service executable, Window
 from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-system.security-*"]
+index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Exploitation of an Unquoted Service Path Vulnerability"