[Rule Tuning] Adjust Index Pattern on Windows rules to support WEF

rules/windows/credential_access_bruteforce_admin_account.toml

@@ -3,7 +3,7 @@ creation_date = "2020/08/29"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/29"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ short time interval. Adversaries will often brute force login attempts across mu
 password, in an attempt to gain access to accounts.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Privileged Account Brute Force"

rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

@@ -3,7 +3,7 @@ creation_date = "2020/08/29"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/29"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ brute force login attempts across multiple users with a common or known password
 accounts.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Multiple Logon Failure Followed by Logon Success"

rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

@@ -3,7 +3,7 @@ creation_date = "2020/08/29"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/29"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Adversaries will often brute force login attempts across multiple users with a c
 to gain access to accounts.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Multiple Logon Failure from the same Source Address"

rules/windows/credential_access_dcsync_replication_rights.toml

@@ -3,7 +3,7 @@ creation_date = "2022/02/08"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ technique to get credential information of individual accounts or the entire dom
 domain.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Credential Access via DCSync"

rules/windows/credential_access_disable_kerberos_preauth.toml

@@ -3,7 +3,7 @@ creation_date = "2022/01/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies the modification of an account's Kerberos pre-authentication options.
 the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Kerberos Pre-authentication Disabled for User"
@@ -79,7 +79,7 @@ references = [
 risk_score = 47
 rule_id = "e514d8cd-ed15-4011-84e2-d15147e059f1"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Active Directory"]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/windows/credential_access_ldap_attributes.toml

@@ -3,7 +3,7 @@ creation_date = "2022/11/09"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/15"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identify access to sensitive Active Directory object attributes that contains cr
 unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Access to a Sensitive LDAP Attribute"

rules/windows/credential_access_lsass_memdump_handle_access.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/16"
 maturity = "production"
-updated_date = "2022/11/04"
+updated_date = "2022/12/21"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -15,7 +15,7 @@ Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and doe
 file name.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "LSASS Memory Dump Handle Access"

rules/windows/credential_access_remote_sam_secretsdump.toml

@@ -3,7 +3,7 @@ creation_date = "2022/03/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/07"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies remote access to the registry to potentially dump credential data fro
 registry hive in preparation for credential access and privileges elevation.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Remote Credential Access via Registry"

rules/windows/credential_access_saved_creds_vault_winlog.toml

@@ -3,7 +3,7 @@ creation_date = "2022/08/30"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/07"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ applications, and networks. An adversary may abuse this to list or dump credenti
 saved usernames and passwords. This may also be performed in preparation of lateral movement.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Multiple Vault Web Credentials Read"

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml

@@ -3,7 +3,7 @@ creation_date = "2022/01/27"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ SeEnableDelegationPrivilege "user right" enables computer and user accounts to b
 abuse this right to compromise Active Directory accounts and elevate their privileges.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User"

rules/windows/credential_access_shadow_credentials.toml

@@ -3,7 +3,7 @@ creation_date = "2022/01/26"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/10/15"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Shadow Credentials added to AD Object"

rules/windows/credential_access_spn_attribute_modified.toml

@@ -3,7 +3,7 @@ creation_date = "2022/02/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ user to configure Service Principle Names (SPNs) so that they can perform Kerber
 configure this for legitimate purposes, exposing the account to Kerberoasting.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "User account exposed to Kerberoasting"

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml

@@ -3,7 +3,7 @@ creation_date = "2022/02/16"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/07"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ attempt to exfiltrate credentials by dumping the Security Account Manager (SAM)
 credential access and privileges elevation.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Remote Registry Access via SeBackupPrivilege"
@@ -94,7 +94,7 @@ references = [
 risk_score = 47
 rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide", "Active Directory"]
 type = "eql"
 
 query = '''

rules/windows/defense_evasion_clearing_windows_security_logs.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/12"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/12"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic", "Anabella Cristaldi"]
@@ -12,7 +12,7 @@ Identifies attempts to clear Windows event log stores. This is often done by att
 or destroy forensic evidence on a system.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Windows Event Logs Cleared"

rules/windows/discovery_privileged_localgroup_membership.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/15"
 maturity = "production"
-updated_date = "2022/11/04"
+updated_date = "2022/12/21"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -12,7 +12,7 @@ Identifies instances of an unusual process enumerating built-in Windows privileg
 Administrators or Remote Desktop users.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration of Privileged Local Groups Membership"

rules/windows/lateral_movement_remote_service_installed_winlog.toml

@@ -3,7 +3,7 @@ creation_date = "2022/08/30"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/30"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies a network logon followed by Windows service creation with same LogonI
 movement, but will be noisy if commonly done by administrators."
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote Windows Service Installed"

rules/windows/lateral_movement_remote_task_creation_winlog.toml

@@ -3,7 +3,7 @@ creation_date = "2022/08/29"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/29"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies a remote logon followed by a scheduled task creation on the target ho
 adversary lateral movement.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote Logon followed by Scheduled Task Creation"

rules/windows/lateral_movement_service_control_spawned_script_int.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies Service Control (sc.exe) spawning from script interpreter processes t
 This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "logs-system.*", "winlogbeat-*"]
+index = ["logs-endpoint.events.*", "logs-system.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Service Control Spawned via Script Interpreter"

rules/windows/persistence_ad_adminsdholder.toml

@@ -3,7 +3,7 @@ creation_date = "2022/01/31"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ the protected accounts and groups are reset to match those of the domain's Admin
 Administrative Privileges.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AdminSDHolder Backdoor"

rules/windows/persistence_dontexpirepasswd_account.toml

@@ -3,7 +3,7 @@ creation_date = "2022/02/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Account Configured with Never-Expiring Password"

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml

@@ -3,7 +3,7 @@ creation_date = "2022/01/27"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT.
 maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "KRBTGT Delegation Backdoor"