[Rule Tuning] Change default index patterns to include Windows forwarded Logs

[patrickrei]

Link to rule

For example, but applies to several windows rules: https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

Description

The issue is the default index patterns setting index = ["winlogbeat-*", "logs-system.*"]. If you are using Windows Event Forwarding (WEF), collect logs from several machines on a single host and collect them with the Elastic Agent (Windows Integration - Forwarded Event Logs), then the default index patterns does not match as it is logs-windows.forwarded-*. Is it possible to add the index pattern for forwarded Windows logs in the default patterns?

Example Data

No rule logic changes.
Change index = ["winlogbeat-*", "logs-system.*"] to index = ["winlogbeat-*", "logs-system.*", "logs-windows.forwarded-*"]

[w0rk3r]

Hey @patrickrei, thanks for bringing this for our attention! I'll take a look on this.

[ChriZzn]

Hi together,

there is another Problem to consider, some rules will still not work because the EQL Query requires the host.id field to be set which is not the case if you use the EventLog Forwarding.
Maybe You consider Here working with just the source.ip or hostname...

Example Rule:
https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

Regards Christoph

[w0rk3r]

Hey @patrickrei, here is a PR to solve this one: #2438. Feel free to review and/or give us your feedback.

Here is a comment regarding the host.id problem: #2438 (comment)