[Rule Tuning] Adjust Index Pattern on Windows rules to support WEF (#…

…2438) * [Rule Tuning] Adjust Index Pattern on Windows rules to support WEF * s/host.id/winlog.computer_name (cherry picked from commit 9c1bd50)
elastic · Dec 21, 2022 · 96fc551 · 96fc551
1 parent 92880a4
commit 96fc551
Show file tree

Hide file tree

Showing 38 changed files with 94 additions and 94 deletions.
diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml
@@ -3,7 +3,7 @@ creation_date = "2020/08/29"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/29"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ short time interval. Adversaries will often brute force login attempts across mu
 password, in an attempt to gain access to accounts.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Privileged Account Brute Force"
@@ -62,7 +62,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
 type = "eql"
 
 query = '''
-sequence by host.id, source.ip with maxspan=10s
+sequence by winlog.computer_name, source.ip with maxspan=10s
   [authentication where event.action == "logon-failed" and
     winlog.logon.type : "Network" and
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and user.name : "*admin*" and

diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
@@ -3,7 +3,7 @@ creation_date = "2020/08/29"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/29"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ brute force login attempts across multiple users with a common or known password
 accounts.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Multiple Logon Failure Followed by Logon Success"
@@ -62,7 +62,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
 type = "eql"
 
 query = '''
-sequence by host.id, source.ip with maxspan=5s
+sequence by winlog.computer_name, source.ip with maxspan=5s
   [authentication where event.action == "logon-failed" and
     /* event 4625 need to be logged */
     winlog.logon.type : "Network" and

diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
@@ -3,7 +3,7 @@ creation_date = "2020/08/29"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/29"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Adversaries will often brute force login attempts across multiple users with a c
 to gain access to accounts.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Multiple Logon Failure from the same Source Address"
@@ -66,7 +66,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
 type = "eql"
 
 query = '''
-sequence by host.id, source.ip with maxspan=10s
+sequence by winlog.computer_name, source.ip with maxspan=10s
   [authentication where event.action == "logon-failed" and
     /* event 4625 need to be logged */
     winlog.logon.type : "Network" and

diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml
@@ -3,7 +3,7 @@ creation_date = "2022/02/08"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ technique to get credential information of individual accounts or the entire dom
 domain.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Credential Access via DCSync"

diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml
@@ -3,7 +3,7 @@ creation_date = "2022/01/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies the modification of an account's Kerberos pre-authentication options.
 the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Kerberos Pre-authentication Disabled for User"
@@ -79,7 +79,7 @@ references = [
 risk_score = 47
 rule_id = "e514d8cd-ed15-4011-84e2-d15147e059f1"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Active Directory"]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml
@@ -3,7 +3,7 @@ creation_date = "2022/11/09"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/15"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identify access to sensitive Active Directory object attributes that contains cr
 unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Access to a Sensitive LDAP Attribute"

diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/16"
 maturity = "production"
-updated_date = "2022/11/04"
+updated_date = "2022/12/21"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -15,7 +15,7 @@ Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and doe
 file name.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "LSASS Memory Dump Handle Access"

diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml
@@ -3,7 +3,7 @@ creation_date = "2022/03/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/07"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies remote access to the registry to potentially dump credential data fro
 registry hive in preparation for credential access and privileges elevation.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Remote Credential Access via Registry"
@@ -78,7 +78,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "C
 type = "eql"
 
 query = '''
-sequence by host.id, user.id with maxspan=1m
+sequence by winlog.computer_name, user.id with maxspan=1m
  [authentication where
    event.outcome == "success" and event.action == "logged-in" and
    winlog.logon.type == "Network" and not user.name == "ANONYMOUS LOGON" and

diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml
@@ -3,7 +3,7 @@ creation_date = "2022/08/30"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/07"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ applications, and networks. An adversary may abuse this to list or dump credenti
 saved usernames and passwords. This may also be performed in preparation of lateral movement.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Multiple Vault Web Credentials Read"
@@ -31,7 +31,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
 type = "eql"
 
 query = '''
-sequence by host.id, winlog.process.pid with maxspan=1s
+sequence by winlog.computer_name, winlog.process.pid with maxspan=1s
 
  /* 2 consecutive vault reads from same pid for web creds */
 

diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
@@ -3,7 +3,7 @@ creation_date = "2022/01/27"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ SeEnableDelegationPrivilege "user right" enables computer and user accounts to b
 abuse this right to compromise Active Directory accounts and elevate their privileges.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User"

diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml
@@ -3,7 +3,7 @@ creation_date = "2022/01/26"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/15"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Shadow Credentials added to AD Object"

diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml
@@ -3,7 +3,7 @@ creation_date = "2022/02/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ user to configure Service Principle Names (SPNs) so that they can perform Kerber
 configure this for legitimate purposes, exposing the account to Kerberoasting.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "User account exposed to Kerberoasting"

diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
@@ -3,7 +3,7 @@ creation_date = "2022/02/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/07"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ attempt to exfiltrate credentials by dumping the Security Account Manager (SAM)
 credential access and privileges elevation.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Remote Registry Access via SeBackupPrivilege"
@@ -94,11 +94,11 @@ references = [
 risk_score = 47
 rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide", "Active Directory"]
 type = "eql"
 
 query = '''
-sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m
+sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m
  [iam where event.action == "logged-in-special"  and
   winlog.event_data.PrivilegeList : "SeBackupPrivilege" and
 

diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml
@@ -3,7 +3,7 @@ creation_date = "2020/11/12"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/12"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic", "Anabella Cristaldi"]
@@ -12,7 +12,7 @@ Identifies attempts to clear Windows event log stores. This is often done by att
 or destroy forensic evidence on a system.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Windows Event Logs Cleared"

diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/15"
 maturity = "production"
-updated_date = "2022/11/04"
+updated_date = "2022/12/21"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -12,7 +12,7 @@ Identifies instances of an unusual process enumerating built-in Windows privileg
 Administrators or Remote Desktop users.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration of Privileged Local Groups Membership"

diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml
@@ -3,7 +3,7 @@ creation_date = "2022/08/30"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/30"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies a network logon followed by Windows service creation with same LogonI
 movement, but will be noisy if commonly done by administrators."
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote Windows Service Installed"
@@ -23,7 +23,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "P
 type = "eql"
 
 query = '''
-sequence by winlog.logon.id, host.id with maxspan=1m
+sequence by winlog.logon.id, winlog.computer_name with maxspan=1m
 [authentication where event.action == "logged-in" and winlog.logon.type : "Network" and
 event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"]
 [iam where event.action == "service-installed" and

diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml
@@ -3,7 +3,7 @@ creation_date = "2022/08/29"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/29"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies a remote logon followed by a scheduled task creation on the target ho
 adversary lateral movement.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote Logon followed by Scheduled Task Creation"
@@ -65,7 +65,7 @@ type = "eql"
 query = '''
 /* Network Logon followed by Scheduled Task creation  */
 
-sequence by host.id with maxspan=1m
+sequence by winlog.computer_name with maxspan=1m
   [authentication where event.action == "logged-in" and
    winlog.logon.type == "Network" and event.outcome == "success" and
    not user.name == "ANONYMOUS LOGON" and not winlog.event_data.SubjectUserName : "*$" and