From f3e82b4f1c796bbc8bbb891e63a8fa42f5c244ec Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 24 Feb 2025 12:27:02 -0300 Subject: [PATCH 1/3] [Security Content] Basic EDR Setup Guides - Phase 1 [Security Content] Basic EDR Setup Guides - Phase 1 --- ...lection_email_outlook_mailbox_via_com.toml | 10 +++++- ...ion_email_powershell_exchange_mailbox.toml | 28 ++++++++++++++++- .../windows/collection_winrar_encryption.toml | 31 +++++++++++++------ .../command_and_control_certreq_postdata.toml | 28 ++++++++++++++++- ...ommand_and_control_common_webservices.toml | 10 +++++- ...nd_and_control_dns_tunneling_nslookup.toml | 23 +++++++++++++- ...control_encrypted_channel_freesslcert.toml | 21 +++++++------ .../command_and_control_headless_browser.toml | 28 ++++++++++++++++- .../command_and_control_iexplore_via_com.toml | 10 +++++- ...and_and_control_ingress_transfer_bits.toml | 10 +++++- ...w_terms_commonly_abused_rat_execution.toml | 13 +++++++- ...command_and_control_outlook_home_page.toml | 23 +++++++++++++- ...ontrol_port_forwarding_added_registry.toml | 23 +++++++++++++- .../command_and_control_rdp_tunnel_plink.toml | 28 ++++++++++++++++- ...ol_remote_file_copy_desktopimgdownldr.toml | 28 ++++++++++++++++- ...and_control_remote_file_copy_mpcmdrun.toml | 28 ++++++++++++++++- ...d_control_remote_file_copy_powershell.toml | 10 +++++- ..._and_control_remote_file_copy_scripts.toml | 13 +++++++- ...d_and_control_screenconnect_childproc.toml | 28 ++++++++++++++++- ...control_sunburst_c2_activity_detected.toml | 10 +++++- ...d_control_teamviewer_remote_file_copy.toml | 18 ++++++++++- ...nd_and_control_tool_transfer_via_curl.toml | 30 ++++++++++++++++-- .../command_and_control_tunnel_vscode.toml | 28 ++++++++++++++++- .../credential_access_cmdline_dump_tool.toml | 23 +++++++++++++- ...ess_copy_ntds_sam_volshadowcp_cmdline.toml | 28 ++++++++++++++++- ...ial_access_credential_dumping_msbuild.toml | 13 +++++++- ...cess_domain_backup_dpapi_private_keys.toml | 28 ++++++++++++++++- ...credential_access_dump_registry_hives.toml | 28 ++++++++++++++++- .../credential_access_generic_localdumps.toml | 18 ++++++++++- ..._access_iis_connectionstrings_dumping.toml | 28 ++++++++++++++++- ...ccess_imageload_azureadconnectauthsvc.toml | 13 +++++++- ..._access_kerberoasting_unusual_process.toml | 18 ++++++++++- .../windows/credential_access_kirbi_file.toml | 28 ++++++++++++++++- ...l_access_lsass_handle_via_malseclogon.toml | 10 +----- ...edential_access_lsass_loaded_susp_dll.toml | 10 +++++- ...ial_access_lsass_memdump_file_created.toml | 23 +++++++++++++- ...edential_access_lsass_openprocess_api.toml | 18 ++++++++++- ...l_access_mimikatz_memssp_default_logs.toml | 31 +++++++++++++------ ..._access_mod_wdigest_security_provider.toml | 26 ++++++++++------ ...l_access_moving_registry_hive_via_smb.toml | 10 +++++- ...e_network_logon_provider_modification.toml | 18 ++++++++++- ..._potential_lsa_memdump_via_mirrordump.toml | 10 +----- ...ial_access_regback_sam_security_hives.toml | 10 +++++- ...cess_relay_ntlm_auth_via_http_spoolss.toml | 28 ++++++++++++++++- ...dential_access_remote_sam_secretsdump.toml | 20 ++++++------ ...redential_access_saved_creds_vaultcmd.toml | 28 ++++++++++++++++- ...ccess_suspicious_lsass_access_generic.toml | 10 +----- ...ccess_suspicious_lsass_access_memdump.toml | 10 +----- ...ial_access_veeam_backup_dll_imageload.toml | 10 +++++- .../credential_access_veeam_commands.toml | 28 ++++++++++++++++- .../credential_access_wbadmin_ntds.toml | 28 ++++++++++++++++- ...dential_access_wireless_creds_dumping.toml | 28 ++++++++++++++++- ...den_file_attribute_with_via_attribexe.toml | 28 ++++++++++++++++- ...defense_evasion_amsi_bypass_dllhijack.toml | 23 +++++++++++++- .../defense_evasion_amsienable_key_mod.toml | 23 +++++++++++++- ...sion_clearing_windows_console_history.toml | 28 ++++++++++++++++- ...e_evasion_clearing_windows_event_logs.toml | 28 ++++++++++++++++- ...ing_policy_modification_builtin_tools.toml | 28 ++++++++++++++++- ..._signing_policy_modification_registry.toml | 23 +++++++++++++- ...ication_apps_suspicious_child_process.toml | 10 +++++- ...e_evasion_create_mod_root_certificate.toml | 23 +++++++++++++- ...vasion_defender_disabled_via_registry.toml | 18 ++++++++++- ...ion_defender_exclusion_via_powershell.toml | 28 ++++++++++++++++- ...delete_volume_usn_journal_with_fsutil.toml | 28 ++++++++++++++++- .../windows/defense_evasion_disable_nla.toml | 23 +++++++++++++- ...asion_disable_posh_scriptblocklogging.toml | 23 +++++++++++++- ...ble_windows_firewall_rules_with_netsh.toml | 28 ++++++++++++++++- ...disabling_windows_defender_powershell.toml | 28 ++++++++++++++++- ...efense_evasion_disabling_windows_logs.toml | 28 ++++++++++++++++- ...efense_evasion_dns_over_https_enabled.toml | 23 +++++++++++++- ...vasion_dotnet_compiler_parent_process.toml | 28 ++++++++++++++++- ...evasion_enable_inbound_rdp_with_netsh.toml | 28 ++++++++++++++++- ...n_enable_network_discovery_with_netsh.toml | 28 ++++++++++++++++- ...ecution_control_panel_suspicious_args.toml | 28 ++++++++++++++++- ...ense_evasion_execution_lolbas_wuauclt.toml | 28 ++++++++++++++++- ...ecution_msbuild_started_by_office_app.toml | 28 ++++++++++++++++- ...n_execution_msbuild_started_by_script.toml | 13 +++++++- ...ion_msbuild_started_by_system_process.toml | 28 ++++++++++++++++- ...ion_execution_msbuild_started_renamed.toml | 18 ++++++++++- ...cution_msbuild_started_unusal_process.toml | 13 +++++++- ...execution_suspicious_explorer_winword.toml | 26 ++++++++++------ ...sion_execution_windefend_unusual_path.toml | 26 ++++++++++------ ..._evasion_file_creation_mult_extension.toml | 23 +++++++++++++- ...efense_evasion_from_unusual_directory.toml | 23 +++++++++++++- ...sion_hide_encoded_executable_registry.toml | 23 +++++++++++++- ...ense_evasion_iis_httplogging_disabled.toml | 28 ++++++++++++++++- ...efense_evasion_indirect_exec_forfiles.toml | 28 ++++++++++++++++- .../defense_evasion_installutil_beacon.toml | 13 +++++++- ...efense_evasion_lolbas_win_cdb_utility.toml | 28 ++++++++++++++++- ...querading_as_elastic_endpoint_process.toml | 23 +++++++++++++- ..._masquerading_business_apps_installer.toml | 10 +++++- ...asion_masquerading_communication_apps.toml | 10 +++++- ...e_evasion_masquerading_renamed_autoit.toml | 18 ++++++++++- ...erading_suspicious_werfault_childproc.toml | 23 +++++++++++++- ...vasion_masquerading_trusted_directory.toml | 28 ++++++++++++++++- ...defense_evasion_masquerading_werfault.toml | 13 +++++++- ..._evasion_microsoft_defender_tampering.toml | 23 +++++++++++++- ...isc_lolbin_connecting_to_the_internet.toml | 13 +++++++- ...e_evasion_ms_office_suspicious_regmod.toml | 18 ++++++++++- ...on_msbuild_making_network_connections.toml | 13 +++++++- .../windows/defense_evasion_mshta_beacon.toml | 13 +++++++- ...nse_evasion_msiexec_child_proc_netcon.toml | 18 ++++++++++- .../defense_evasion_msxsl_network.toml | 13 +++++++- ...etwork_connection_from_windows_binary.toml | 13 +++++++- ...e_evasion_parent_process_pid_spoofing.toml | 10 +++++- ...persistence_account_tokenfilterpolicy.toml | 23 +++++++++++++- ..._powershell_windows_firewall_disabled.toml | 28 ++++++++++++++++- ...cess_termination_followed_by_deletion.toml | 10 +++++- ...ense_evasion_proxy_execution_via_msdt.toml | 18 ++++++++++- ...eg_disable_enableglobalqueryblocklist.toml | 23 +++++++++++++- ...efense_evasion_right_to_left_override.toml | 23 +++++++++++++- ...defense_evasion_root_dir_ads_creation.toml | 23 +++++++++++++- ...defense_evasion_rundll32_no_arguments.toml | 13 +++++++- rules/windows/defense_evasion_sc_sdset.toml | 28 ++++++++++++++++- ...fense_evasion_sccm_scnotification_dll.toml | 10 +++++- ...ion_scheduledjobs_at_protocol_enabled.toml | 23 +++++++++++++- .../defense_evasion_script_via_html_app.toml | 18 ++++++++++- ..._evasion_sdelete_like_filename_rename.toml | 23 +++++++++++++- .../defense_evasion_sip_provider_mod.toml | 23 +++++++++++++- ...ackdoor_service_disabled_via_registry.toml | 23 +++++++++++++- ..._evasion_suspicious_certutil_commands.toml | 28 ++++++++++++++++- ...picious_execution_from_mounted_device.toml | 21 +++++++------ ...n_suspicious_managedcode_host_process.toml | 28 ++++++++++++++++- ...picious_process_access_direct_syscall.toml | 10 +----- ...efense_evasion_suspicious_scrobj_load.toml | 13 +++++++- ...evasion_suspicious_short_program_name.toml | 18 ++++++++++- ...defense_evasion_suspicious_wmi_script.toml | 13 +++++++- ...evasion_suspicious_zoom_child_process.toml | 28 ++++++++++++++++- ..._critical_proc_abnormal_file_activity.toml | 23 +++++++++++++- ...sion_unsigned_dll_loaded_from_suspdir.toml | 18 +++++------ ...fense_evasion_untrusted_driver_loaded.toml | 10 +++++- ...nse_evasion_unusual_ads_file_creation.toml | 23 +++++++++++++- .../defense_evasion_unusual_dir_ads.toml | 28 ++++++++++++++++- ...nusual_network_connection_via_dllhost.toml | 13 +++++++- ...usual_network_connection_via_rundll32.toml | 13 +++++++- ...on_unusual_process_network_connection.toml | 13 +++++++- ...asion_unusual_system_vp_child_program.toml | 23 +++++++++++++- .../defense_evasion_via_filter_manager.toml | 18 ++++++++++- ...evasion_workfolders_control_execution.toml | 23 +++++++++++++- .../defense_evasion_wsl_bash_exec.toml | 23 +++++++++++++- .../defense_evasion_wsl_child_process.toml | 28 ++++++++++++++++- .../defense_evasion_wsl_enabled_via_dism.toml | 28 ++++++++++++++++- .../defense_evasion_wsl_filesystem.toml | 13 +++++++- .../defense_evasion_wsl_kalilinux.toml | 28 ++++++++++++++++- ...nse_evasion_wsl_registry_modification.toml | 23 +++++++++++++- ...discovery_active_directory_webservice.toml | 10 +++++- .../discovery_adfind_command_activity.toml | 28 ++++++++++++++++- rules/windows/discovery_admin_recon.toml | 23 +++++++++++++- .../discovery_command_system_account.toml | 21 +++++++------ ...enumerating_domain_trusts_via_dsquery.toml | 28 ++++++++++++++++- ..._enumerating_domain_trusts_via_nltest.toml | 23 +++++++++++++- ...scovery_group_policy_object_discovery.toml | 28 ++++++++++++++++- .../windows/discovery_peripheral_device.toml | 28 ++++++++++++++++- .../discovery_whoami_command_activity.toml | 18 ++++++++++- ...arwinds_backdoor_child_cmd_powershell.toml | 28 ++++++++++++++++- ...inds_backdoor_unusual_child_processes.toml | 18 ++++++++++- .../windows/execution_com_object_xwizard.toml | 28 ++++++++++++++++- ...and_prompt_connecting_to_the_internet.toml | 13 +++++++- ...tion_command_shell_started_by_svchost.toml | 23 +++++++++++++- ...mand_shell_started_by_unusual_process.toml | 31 +++++++++++++------ .../execution_command_shell_via_rundll32.toml | 23 +++++++++++++- ...tion_delayed_via_ping_lolbas_unsigned.toml | 10 +++++- .../execution_downloaded_shortcut_files.toml | 10 +++++- .../execution_downloaded_url_file.toml | 10 +++++- .../execution_enumeration_via_wmiprvse.toml | 28 ++++++++++++++++- .../execution_from_unusual_path_cmdline.toml | 23 +++++++++++++- ...le_program_connecting_to_the_internet.toml | 13 +++++++- ...cution_initial_access_foxmail_exploit.toml | 28 ++++++++++++++++- ...execution_initial_access_via_msc_file.toml | 23 +++++++++++++- ...cution_initial_access_wps_dll_exploit.toml | 13 +++++++- rules/windows/execution_mofcomp.toml | 23 +++++++++++++- .../execution_ms_office_written_file.toml | 10 +++++- rules/windows/execution_pdf_written_file.toml | 13 +++++++- ...on_powershell_susp_args_via_winscript.toml | 18 ++++++++++- ...ution_psexec_lateral_movement_command.toml | 13 +++++++- ...er_program_connecting_to_the_internet.toml | 13 +++++++- ...tion_scheduled_task_powershell_source.toml | 13 +++++++- ...xecution_shared_modules_local_sxs_dll.toml | 23 +++++++++++++- .../windows/execution_suspicious_cmd_wmi.toml | 28 ++++++++++++++++- ...n_suspicious_image_load_wmi_ms_office.toml | 21 +++++++------ .../execution_suspicious_pdf_reader.toml | 28 ++++++++++++++++- ...ecution_suspicious_powershell_imgload.toml | 10 +++++- .../execution_suspicious_psexesvc.toml | 18 ++++++++++- .../execution_via_compiled_html_file.toml | 28 ++++++++++++++++- .../execution_via_hidden_shell_conhost.toml | 23 +++++++++++++- ...ion_via_mmc_console_file_unusual_path.toml | 28 ++++++++++++++++- ...execution_windows_cmd_shell_susp_args.toml | 18 ++++++++++- ...xecution_windows_powershell_susp_args.toml | 23 +++++++++++++- ...xecution_windows_script_from_internet.toml | 10 +++++- .../exfiltration_smb_rare_destination.toml | 23 +++++++++++++- .../windows/impact_backup_file_deletion.toml | 26 ++++++++++------ ...deleting_backup_catalogs_with_wbadmin.toml | 28 ++++++++++++++++- ...pact_high_freq_file_renames_by_kernel.toml | 23 +++++++++++++- .../impact_modification_of_boot_config.toml | 28 ++++++++++++++++- .../impact_ransomware_file_rename_smb.toml | 10 +++++- .../impact_ransomware_note_file_over_smb.toml | 10 +++++- ...impact_stop_process_service_threshold.toml | 13 +++++++- ...copy_deletion_or_resized_via_vssadmin.toml | 28 ++++++++++++++++- ...e_shadow_copy_deletion_via_powershell.toml | 28 ++++++++++++++++- ..._volume_shadow_copy_deletion_via_wmic.toml | 28 ++++++++++++++++- ..._evasion_suspicious_htm_file_creation.toml | 18 +++++------ ...itial_access_execution_from_inetcache.toml | 28 ++++++++++++++++- ...access_execution_from_removable_media.toml | 10 +++++- ...l_access_execution_remote_via_msiexec.toml | 10 +++++- ...al_access_execution_via_office_addins.toml | 23 +++++++++++++- ...cess_exfiltration_first_time_seen_usb.toml | 23 +++++++++++++- ...ial_access_exploit_jetbrains_teamcity.toml | 23 +++++++++++++- ...itial_access_rdp_file_mail_attachment.toml | 23 +++++++++++++- ...al_access_script_executing_powershell.toml | 23 +++++++++++++- ...ccess_scripts_process_started_via_wmi.toml | 13 +++++++- ...l_access_suspicious_ms_exchange_files.toml | 23 +++++++++++++- ...access_suspicious_ms_exchange_process.toml | 28 ++++++++++++++++- ...ious_ms_exchange_worker_child_process.toml | 23 +++++++++++++- ...ss_suspicious_ms_office_child_process.toml | 28 ++++++++++++++++- ...s_suspicious_ms_outlook_child_process.toml | 28 ++++++++++++++++- ...explorer_suspicious_child_parent_args.toml | 23 +++++++++++++- ..._access_webshell_screenconnect_server.toml | 28 ++++++++++++++++- ...l_access_xsl_script_execution_via_com.toml | 10 +++++- .../windows/lateral_movement_cmd_service.toml | 13 +++++++- rules/windows/lateral_movement_dcom_hta.toml | 13 +++++++- .../windows/lateral_movement_dcom_mmc20.toml | 13 +++++++- ...t_dcom_shellwindow_shellbrowserwindow.toml | 13 +++++++- ...n_lanman_nullsessionpipe_modification.toml | 23 +++++++++++++- ...vement_direct_outbound_smb_connection.toml | 10 +++++- ...ateral_movement_evasion_rdp_shadowing.toml | 23 +++++++++++++- ...movement_executable_tool_transfer_smb.toml | 10 +++++- ..._movement_execution_from_tsclient_mup.toml | 28 ++++++++++++++++- ...nt_execution_via_file_shares_sequence.toml | 10 +++++- ...vement_incoming_winrm_shell_execution.toml | 13 +++++++- .../lateral_movement_incoming_wmi.toml | 13 +++++++- ...ment_mount_hidden_or_webdav_share_net.toml | 28 ++++++++++++++++- ...l_movement_powershell_remoting_target.toml | 13 +++++++- ...lateral_movement_rdp_enabled_registry.toml | 23 +++++++++++++- .../lateral_movement_rdp_sharprdp_target.toml | 10 +++++- ...ovement_remote_file_copy_hidden_share.toml | 28 ++++++++++++++++- .../lateral_movement_remote_services.toml | 13 +++++++- ...ateral_movement_scheduled_task_target.toml | 13 +++++++- ...ement_suspicious_rdp_client_imageload.toml | 21 +++++++------ ...movement_unusual_dns_service_children.toml | 28 ++++++++++++++++- ...ement_unusual_dns_service_file_writes.toml | 13 +++++++- ...l_movement_via_startup_folder_rdp_smb.toml | 23 +++++++++++++- .../lateral_movement_via_wsus_update.toml | 28 ++++++++++++++++- .../persistence_adobe_hijack_persistence.toml | 31 +++++++++++++------ .../windows/persistence_app_compat_shim.toml | 23 +++++++++++++- .../persistence_appcertdlls_registry.toml | 31 +++++++++++++------ .../persistence_appinitdlls_registry.toml | 23 +++++++++++++- ...persistence_browser_extension_install.toml | 23 +++++++++++++- ...evasion_hidden_local_account_creation.toml | 23 +++++++++++++- ...tence_evasion_registry_ifeo_injection.toml | 23 +++++++++++++- ...egistry_startup_shell_folder_modified.toml | 23 +++++++++++++- ...sistence_local_scheduled_job_creation.toml | 23 +++++++++++++- ...istence_local_scheduled_task_creation.toml | 13 +++++++- ...stence_local_scheduled_task_scripting.toml | 13 +++++++- .../persistence_ms_office_addins_file.toml | 23 +++++++++++++- .../persistence_ms_outlook_vba_template.toml | 23 +++++++++++++- ...ersistence_msi_installer_task_startup.toml | 10 +++++- ...persistence_msoffice_startup_registry.toml | 23 +++++++++++++- .../windows/persistence_netsh_helper_dll.toml | 23 +++++++++++++- ...ll_exch_mailbox_activesync_add_device.toml | 28 ++++++++++++++++- .../persistence_powershell_profiles.toml | 23 +++++++++++++- ...escalation_via_accessibility_features.toml | 18 ++++++++++- .../persistence_registry_uncommon.toml | 13 +++++++- ...persistence_run_key_and_startup_broad.toml | 10 +++++- ...ce_runtime_run_key_startup_susp_procs.toml | 13 +++++++- .../persistence_service_dll_unsigned.toml | 10 +++++- .../persistence_services_registry.toml | 23 +++++++++++++- ...er_file_written_by_suspicious_process.toml | 23 +++++++++++++- ...lder_file_written_by_unsigned_process.toml | 10 +++++- .../persistence_startup_folder_scripts.toml | 23 +++++++++++++- ...stence_suspicious_com_hijack_registry.toml | 18 +++++------ ...s_image_load_scheduled_task_ms_office.toml | 21 +++++++------ ...nce_suspicious_scheduled_task_runtime.toml | 10 +++++- ...e_suspicious_service_created_registry.toml | 23 +++++++++++++- ...istence_sysmon_wmi_event_subscription.toml | 13 +++++++- ...ersistence_system_shells_via_services.toml | 28 ++++++++++++++++- .../persistence_time_provider_mod.toml | 23 +++++++++++++- .../persistence_user_account_creation.toml | 28 ++++++++++++++++- .../persistence_via_application_shimming.toml | 28 ++++++++++++++++- ...rsistence_via_bits_job_notify_command.toml | 23 +++++++++++++- ...sistence_via_hidden_run_key_valuename.toml | 21 +++++++------ ...sa_security_support_provider_registry.toml | 23 +++++++++++++- ...emetrycontroller_scheduledtask_hijack.toml | 28 ++++++++++++++++- ...ia_update_orchestrator_service_hijack.toml | 23 +++++++++++++- ...nt_instrumentation_event_subscription.toml | 28 ++++++++++++++++- ...tence_via_wmi_stdregprov_run_services.toml | 10 +++++- ...ia_xp_cmdshell_mssql_stored_procedure.toml | 28 ++++++++++++++++- .../persistence_webshell_detection.toml | 28 ++++++++++++++++- .../persistence_werfault_reflectdebugger.toml | 23 +++++++++++++- ...tion_create_process_with_token_unpriv.toml | 10 +++++- ...ilege_escalation_disable_uac_registry.toml | 23 +++++++++++++- ...e_escalation_dns_serverlevelplugindll.toml | 13 +++++++- ...ege_escalation_driver_newterm_imphash.toml | 10 +++++- ...lege_escalation_expired_driver_loaded.toml | 10 +++++- ...lege_escalation_exploit_cve_202238028.toml | 23 +++++++++++++- ...calation_gpo_schtask_service_creation.toml | 23 +++++++++++++- ...rivilege_escalation_installertakeover.toml | 18 +++++------ ...privilege_escalation_lsa_auth_package.toml | 18 ++++++++++- ...escalation_msi_repair_via_mshelp_link.toml | 23 +++++++++++++- ...e_escalation_named_pipe_impersonation.toml | 28 ++++++++++++++++- ...ge_escalation_persistence_phantom_dll.toml | 21 +++++++------ ...ion_port_monitor_print_pocessor_abuse.toml | 18 ++++++++++- ...ation_printspooler_registry_copyfiles.toml | 13 +++++++- ..._printspooler_service_suspicious_file.toml | 23 +++++++++++++- ...printspooler_suspicious_file_deletion.toml | 23 +++++++++++++- ...tion_printspooler_suspicious_spl_file.toml | 18 ++++++++++- ..._escalation_reg_service_imagepath_mod.toml | 13 +++++++- ...calation_rogue_windir_environment_var.toml | 23 +++++++++++++- ...on_service_control_spawned_script_int.toml | 23 +++++++++++++- ...lege_escalation_uac_bypass_com_clipup.toml | 23 +++++++++++++- ...ge_escalation_uac_bypass_com_ieinstal.toml | 23 +++++++++++++- ...n_uac_bypass_com_interface_icmluautil.toml | 18 ++++++++++- ...alation_uac_bypass_diskcleanup_hijack.toml | 28 ++++++++++++++++- ...escalation_uac_bypass_dll_sideloading.toml | 23 +++++++++++++- ...ge_escalation_uac_bypass_event_viewer.toml | 28 ++++++++++++++++- ...ege_escalation_uac_bypass_mock_windir.toml | 28 ++++++++++++++++- ...scalation_uac_bypass_winfw_mmc_hijack.toml | 23 +++++++++++++- ...lege_escalation_unquoted_service_path.toml | 23 +++++++++++++- ...tion_unusual_parentchild_relationship.toml | 28 ++++++++++++++++- ...ion_unusual_printspooler_childprocess.toml | 13 +++++++- ...n_unusual_svchost_childproc_childless.toml | 23 +++++++++++++- ...rivilege_escalation_via_ppid_spoofing.toml | 10 +++++- ...ilege_escalation_via_rogue_named_pipe.toml | 8 +---- .../privilege_escalation_via_token_theft.toml | 10 +++++- ...rivilege_escalation_wpad_exploitation.toml | 10 +++++- 324 files changed, 6093 insertions(+), 549 deletions(-) diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index bdff598faa5..404d452308a 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -83,6 +83,14 @@ Outlook's integration with the Component Object Model (COM) allows processes to - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement additional monitoring on the affected system and similar endpoints to detect any recurrence of the suspicious activity. - Review and update endpoint protection policies to ensure that similar threats are detected and blocked in the future, leveraging the MITRE ATT&CK framework for guidance on email collection techniques.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 2baaf353390..160d98974cc 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -100,6 +100,32 @@ process where host.os.type == "windows" and event.type == "start" and process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.command_line : ("*MailboxExportRequest*", "*-Mailbox*-ContentFilter*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index c17e967c850..a06d82df9a8 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -62,14 +62,6 @@ references = [ ] risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -112,6 +104,27 @@ process where host.os.type == "windows" and event.type == "start" and "\\Device\\HarddiskVolume?\\Nox\\bin\\Nox.exe" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index a2a98c6bfba..42c16b8f6c6 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -133,6 +133,32 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and (process.name : "CertReq.exe" or ?process.pe.original_file_name == "CertReq.exe") and process.args : "-Post" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 92cc74f3d42..a25b92434c1 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.investigate]] @@ -298,6 +298,14 @@ network where host.os.type == "windows" and network.protocol == "dns" and "Amazon.com Services LLC")) ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 3083a7f5f74..da233fd0df6 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,27 @@ sequence by host.id with maxspan=5m [process where host.os.type == "windows" and event.type == "start" and process.name : "nslookup.exe" and process.args:("-querytype=*", "-qt=*", "-q=*", "-type=*")] with runs = 10 ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 6815716b957..c4b9ce107e0 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -19,14 +19,6 @@ license = "Elastic License v2" name = "Connection to Commonly Abused Free SSL Certificate Providers" risk_score = 21 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -90,6 +82,17 @@ Free SSL certificates, like those from Let's Encrypt, enable secure web traffic - Restore the system from a known good backup if any critical system files or configurations have been altered. - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index 81abab1104f..48780cb0da8 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/10" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,32 @@ process where host.os.type == "windows" and event.type == "start" and "explorer.exe", "rundll32.exe", "winword.exe", "excel.exe", "onenote.exe", "hh.exe", "powerpnt.exe", "forfiles.exe", "pcalua.exe", "wmiprvse.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index a9db0f9e470..fe5cef2e742 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -85,6 +85,14 @@ Internet Explorer can be manipulated via the Component Object Model (COM) to ini - Restore the affected system from a known good backup if malware is confirmed and cannot be fully removed, ensuring that the backup is free from compromise. - Implement network-level controls to block the identified suspicious domains and IP addresses to prevent future communication attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index 9be47999737..e65fba01b86 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -144,6 +144,14 @@ file where host.os.type == "windows" and event.action == "rename" and "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe" ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index 8e7ba96c2d3..35a71da98c7 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -278,6 +278,17 @@ host.os.type: "windows" and not (process.pe.original_file_name : ("G2M.exe" or "Updater.exe" or "powershell.exe") and process.code_signature.subject_name : "LogMeIn, Inc.") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index 90f713db53b..a6549acd5fe 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,27 @@ The Outlook Home Page feature allows users to set a webpage as the default view - Review and analyze network logs to identify any outbound connections to suspicious domains or IP addresses, and block these at the firewall. - Escalate the incident to the security operations center (SOC) for further investigation and to determine if other systems are affected. - Implement additional monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and network activity.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index cc1ee407e09..60d81860b10 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -87,6 +87,27 @@ registry where host.os.type == "windows" and registry.path : ( "MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 138ce8e3f7d..43e044ea2fb 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -89,6 +89,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "*:3389" and process.args : ("-L", "-P", "-R", "-pw", "-ssh") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 8bb08c1cf17..2e6836fbeac 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -168,6 +168,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "desktopimgdownldr.exe" or ?process.pe.original_file_name == "desktopimgdownldr.exe") and process.args : "/lockscreenurl:http*" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 2bed2b5a903..88e3acc2829 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -166,6 +166,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "MpCmdRun.exe" or ?process.pe.original_file_name == "MpCmdRun.exe") and process.args : "-DownloadFile" and process.args : "-url" and process.args : "-path" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 3e41e8ec3e5..1c6d54175aa 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -146,6 +146,14 @@ sequence by process.entity_id with maxspan=30s process.name : "powershell.exe" and file.extension : ("exe", "dll", "ps1", "bat") and not file.name : "__PSScriptPolicy*.ps1"] ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 813cad05e4c..54a3b6e198c 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -120,6 +120,17 @@ sequence by host.id, process.entity_id ] [file where host.os.type == "windows" and event.type == "creation" and file.extension : ("exe", "dll")] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 25f96b21f0e..aa243f75308 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -103,6 +103,32 @@ ScreenConnect, a remote access tool, facilitates legitimate remote support but c - Restore the system from a known good backup if any critical system files or configurations have been altered or compromised. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for ScreenConnect and other remote access tools to detect similar activities in the future, ensuring that alerts are promptly reviewed and acted upon.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 53c16e9ff6d..2b5580da267 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -126,6 +126,14 @@ network where host.os.type == "windows" and event.type == "protocol" and network not http.request.body.content : "*solarwinds.com*" ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 63d8333bd37..070804f5f3a 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." @@ -122,6 +122,22 @@ file where host.os.type == "windows" and event.type == "creation" and process.na ) and process.code_signature.trusted == true ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index d155e29c316..83de06cbc71 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ process where host.os.type == "windows" and event.type == "start" and user.id != process.command_line : "*http*" and process.parent.name : ("cmd.exe", "powershell.exe", "rundll32.exe", "explorer.exe", "conhost.exe", "forfiles.exe", "wscript.exe", "cscript.exe", "mshta.exe", "hh.exe", "mmc.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] @@ -102,4 +128,4 @@ reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml index 1bc611fa876..061e2dbc149 100644 --- a/rules/windows/command_and_control_tunnel_vscode.toml +++ b/rules/windows/command_and_control_tunnel_vscode.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -90,6 +90,32 @@ Visual Studio Code (VScode) offers a remote tunnel feature enabling developers t - Restore the system from a known good backup if any unauthorized changes or malware are detected. - Implement network segmentation to limit the ability of similar threats to spread across the environment. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 96caa2b51a0..5c07313332b 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -118,6 +118,27 @@ process where host.os.type == "windows" and event.type == "start" and (?process.pe.original_file_name : "diskshadow.exe" or process.name : "diskshadow.exe") and process.args : "/s") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 14e2e20d979..61103497076 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -146,6 +146,32 @@ process where host.os.type == "windows" and event.type == "start" and ) and process.command_line : ("*\\ntds.dit*", "*\\config\\SAM*", "*\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*", "*\\User Data\\*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index e6e093b01bb..561b9961f7c 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -123,6 +123,17 @@ sequence by process.entity_id [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and (?dll.name : ("vaultcli.dll", "SAMLib.DLL") or file.name : ("vaultcli.dll", "SAMLib.DLL"))] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 58d2a58bdf1..7750a4913bd 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -35,6 +35,32 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index f1ccc8b6b77..55b3e1a5df4 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -93,6 +93,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : ("save", "export") and process.args : ("hklm\\sam", "hklm\\security") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index 6b1d013fbfe..bc5babc0c86 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/28" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,6 +85,22 @@ Full user-mode dumps are a diagnostic feature in Windows that captures detailed - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar registry changes across the network to detect and respond to future attempts promptly. - Review and update endpoint protection configurations to ensure they are capable of detecting and blocking similar credential dumping techniques.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 3982f2e52c9..67f18b40ae3 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -93,6 +93,32 @@ Microsoft IIS often stores sensitive connection strings in encrypted form to sec - Restore the IIS server from a known good backup taken before the compromise, ensuring that any webshells or malicious scripts are removed. - Implement enhanced monitoring and alerting for any future unauthorized use of aspnet_regiis.exe, focusing on the specific arguments used in the detection query. - Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the broader impact on the organization.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml index 4238e58285e..26d0d0eec76 100644 --- a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml +++ b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,17 @@ Azure AD Sync Service facilitates identity synchronization between on-premises d - Change all credentials that may have been exposed or compromised, focusing on those related to Azure AD and on-premises directory services. - Implement application whitelisting to prevent unauthorized DLLs from being loaded by critical processes like Azure AD Sync. - Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 7977da3371d..e1048ac4236 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." @@ -166,6 +166,22 @@ network where host.os.type == "windows" and event.type == "start" and network.di ) and destination.address != "127.0.0.1" and destination.address != "::1" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index f1587fef43e..fbd84f3f3e4 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -63,6 +63,32 @@ Kirbi files are associated with Kerberos, a network authentication protocol used - Revoke all active Kerberos tickets and force re-authentication for all users to ensure that any stolen tickets are rendered useless. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach. - Implement enhanced monitoring and logging for Kerberos-related activities to detect and respond to similar threats more effectively in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index c3881e95792..a415d4cb05a 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/29" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -21,14 +21,6 @@ name = "Suspicious LSASS Access via MalSecLogon" references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"] risk_score = 73 rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index cb444a5b057..3a49e8ef928 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -138,6 +138,14 @@ The Local Security Authority Subsystem Service (LSASS) is crucial for managing s - Implement application whitelisting to prevent unauthorized DLLs from being loaded into critical processes like LSASS in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Update security monitoring tools to enhance detection capabilities for similar threats, ensuring that alerts are generated for any future attempts to load untrusted DLLs into LSASS.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 31610e3dd41..a0372da7719 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -145,6 +145,27 @@ file where host.os.type == "windows" and event.action != "deletion" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index dbf7d310a3e..b0dc8303f64 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/02" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -182,6 +182,22 @@ api where host.os.type == "windows" and ) and not ?process.code_signature.trusted == false ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index addbde90c98..c39626eda9b 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -58,14 +58,6 @@ This rule looks for the creation of a file named `mimilsa.log`, which is generat references = ["https://www.elastic.co/security-labs/detect-credential-access"] risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -85,6 +77,27 @@ type = "eql" query = ''' file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 7dd04a08fe6..2c0ec8a4900 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -70,14 +70,6 @@ references = [ ] risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -101,6 +93,22 @@ registry where host.os.type == "windows" and event.type == "creation" and ) and registry.data.strings : ("1", "0x00000001") and not (process.executable : "?:\\Windows\\System32\\svchost.exe" and user.id : "S-1-5-18") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 8f794a53476..6545c10f304 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/06" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -79,6 +79,14 @@ file where host.os.type == "windows" and event.type == "creation" and "?:\\*\\AppData\\Local\\Packages\\Microsoft.*\\Settings\\settings.dat*" ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 6ffc0fe8fc4..696d06d117c 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint", "m365_defender", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -143,6 +143,22 @@ registry where host.os.type == "windows" and event.type == "change" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index e3a407c175f..52b81acb1a9 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/27" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -20,14 +20,6 @@ name = "Potential Credential Access via DuplicateHandle in LSASS" references = ["https://github.com/CCob/MirrorDump"] risk_score = 47 rule_id = "02a4576a-7480-4284-9327-548a806b5e48" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_regback_sam_security_hives.toml b/rules/windows/credential_access_regback_sam_security_hives.toml index 45500f46a21..634cdbda09c 100644 --- a/rules/windows/credential_access_regback_sam_security_hives.toml +++ b/rules/windows/credential_access_regback_sam_security_hives.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -75,6 +75,14 @@ file where host.os.type == "windows" and "?:\\Windows\\system32\\taskhostw.exe", "?:\\Windows\\system32\\taskhost.exe" )) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 990d0407c58..361a578e736 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -98,6 +98,32 @@ NTLM, a suite of Microsoft security protocols, is often targeted by adversaries - Apply the latest security patches and updates to the Windows Printer Spooler service and related components to mitigate known vulnerabilities. - Implement network segmentation to limit the exposure of critical services and reduce the risk of similar attacks in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index f3fde2b0828..cb39b2f9c53 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -56,16 +56,6 @@ references = [ ] risk_score = 73 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8" -setup = """## Setup - -This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work. - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -85,6 +75,14 @@ file where host.os.type == "windows" and file.Ext.header_bytes : "72656766*" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and file.size >= 30000 and file.path : ("?:\\Windows\\system32\\*.tmp", "?:\\WINDOWS\\Temp\\*.tmp") ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index ae548489730..f384dd6c324 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,6 +92,32 @@ Windows Credential Manager stores credentials for websites, applications, and ne - Implement enhanced monitoring on the affected system and similar endpoints for any further attempts to use VaultCmd.exe or other credential dumping tools. - Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the breach. - Review and update endpoint protection configurations to ensure that similar threats are detected and blocked in the future, leveraging threat intelligence and MITRE ATT&CK framework insights.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index a92818305b6..e445278a908 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/22" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -17,14 +17,6 @@ name = "Suspicious Lsass Process Access" references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"] risk_score = 47 rule_id = "128468bf-cab1-4637-99ea-fdf3780a4609" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 7de6d5c1369..c3c04aaa1aa 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -24,14 +24,6 @@ references = [ ] risk_score = 73 rule_id = "9960432d-9b26-409f-972b-839a959e79e2" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_veeam_backup_dll_imageload.toml b/rules/windows/credential_access_veeam_backup_dll_imageload.toml index 0af9521613a..f1dc825195e 100644 --- a/rules/windows/credential_access_veeam_backup_dll_imageload.toml +++ b/rules/windows/credential_access_veeam_backup_dll_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -73,6 +73,14 @@ Veeam Backup software is crucial for data protection, enabling secure backup and - Restore any affected systems or data from a known good backup to ensure integrity and availability. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar activities, focusing on unauthorized process executions and DLL loads, to improve early detection of future threats.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index cc760955744..b460d7deebf 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,6 +92,32 @@ Veeam credentials stored in MSSQL databases are crucial for managing backup oper - Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are compromised. - Implement enhanced monitoring on systems storing Veeam credentials to detect similar suspicious activities in the future. - Review and update access controls and permissions for MSSQL databases to ensure only authorized personnel have access to Veeam credentials.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml index 29b5cd8b8eb..3151877f86e 100644 --- a/rules/windows/credential_access_wbadmin_ntds.toml +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ Wbadmin is a Windows utility for backup and recovery, often used by administrato - Restore the NTDS.dit file from a known good backup if any unauthorized modifications are detected. - Implement enhanced monitoring and logging for wbadmin.exe usage across all domain controllers to detect future unauthorized access attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index 6a4271c9d57..c2270fdbc6c 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -121,6 +121,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "netsh.exe" or ?process.pe.original_file_name == "netsh.exe") and process.args : "wlan" and process.args : "key*clear" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 6043131dcdd..279c3ef8fdc 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -131,6 +131,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "attrib.exe" or ?process.pe.original_file_name == "ATTRIB.EXE") and process.args : "+h" and not (process.parent.name: "cmd.exe" and process.command_line: "attrib +R +H +S +A *.cui") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 726fe74345d..9b552c8a697 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -139,6 +139,27 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 0edc49a16fd..27c06f7fec5 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -98,6 +98,27 @@ registry where host.os.type == "windows" and event.type == "change" and HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" */ ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 62cef1d7a1d..01994825b49 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -96,6 +96,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 3dfe685d34f..435bcea7789 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -96,6 +96,32 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 4251115b3ca..27a1e69cdbd 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -119,6 +119,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name: "bcdedit.exe" or ?process.pe.original_file_name == "bcdedit.exe") and process.args: ("-set", "/set") and process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index aeeb61a20f9..6f81c93274c 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -111,6 +111,27 @@ registry where host.os.type == "windows" and event.type == "change" and "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify" */ ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml index 149d52717bf..1119640ed0a 100644 --- a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -254,6 +254,14 @@ Communication apps like Slack, WebEx, and Teams are integral to modern workflows - Update the communication app and all related software to the latest versions to patch any known vulnerabilities that may have been exploited. - Implement application whitelisting to ensure only trusted and signed applications can execute, reducing the risk of similar threats. - Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and to assess the potential impact on other systems.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 55093bd4d34..2a9e90444df 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -126,6 +126,27 @@ registry where host.os.type == "windows" and event.type == "change" and registry "?:\\Windows\\WinSxS\\*.exe" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 44c1512773a..7dee6a256af 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/17" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -100,6 +100,22 @@ registry where host.os.type == "windows" and event.type == "change" and ) and user.id : "S-1-5-18" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 48eb71e0524..182e74af9e8 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -106,6 +106,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and process.args : ("*-Exclusion*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index e80066eafb4..0dab756a38b 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "fsutil.exe" or ?process.pe.original_file_name == "fsutil.exe") and process.args : "deletejournal" and process.args : "usn" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index ab4dd964e69..4997d1560b5 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/25" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,27 @@ Network-Level Authentication (NLA) enhances security for Remote Desktop Protocol - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to disable NLA or other suspicious activities. - Review and update endpoint security policies to ensure that registry changes related to NLA are monitored and alerts are generated for any unauthorized modifications.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 67929fe2adc..f4c63b944a0 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,27 @@ registry where host.os.type == "windows" and event.type == "change" and "MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging" ) and registry.data.strings : ("0", "0x00000000") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index e25d77c4ef8..e2eee1cd52e 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,6 +85,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.args : "advfirewall" and process.args : "off" and process.args : "state") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index c58c50f40fb..7ca33f994f8 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -96,6 +96,32 @@ process where host.os.type == "windows" and event.type == "start" and ) and process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 6d36c13358e..d8ad5d9292d 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,32 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 6f4320c1a28..46100f8cd88 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,27 @@ DNS-over-HTTPS (DoH) encrypts DNS queries to enhance privacy and security, preve - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring for registry changes related to DNS settings across the organization to detect similar threats in the future. - Review and update security policies to ensure that DNS-over-HTTPS is only enabled through approved channels and for legitimate purposes, reducing the risk of misuse.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 7f932ca3d40..5e587648f69 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -88,6 +88,32 @@ note = """## Triage and analysis - Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated through cleaning. - Implement application whitelisting to prevent unauthorized execution of compilers and scripting engines by non-standard parent processes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 56d52cc816f..63dc4d13005 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : ("localport=3389", "RemoteDesktop", "group=\"remote desktop\"") and process.args : ("action=allow", "enable=Yes", "enable") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index cc21a55c697..ebeaf2025c2 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,32 @@ process where host.os.type == "windows" and event.type == "start" and process.name : "netsh.exe" and process.args : ("firewall", "advfirewall") and process.args : "group=Network Discovery" and process.args : "enable=Yes" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 24dc8f1e23c..e64ea1df2b4 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -98,6 +98,32 @@ The Control Panel in Windows is a system utility that allows users to view and a - Restore any affected files or system settings from a known good backup to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. - Implement additional monitoring and alerting for similar command-line anomalies to enhance detection and prevent recurrence of this threat.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 56c9510a93e..81043aceada 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -136,6 +136,32 @@ process where host.os.type == "windows" and event.type == "start" and /* common paths writeable by a standard user where the target DLL can be placed */ process.args : ("C:\\Users\\*.dll", "C:\\ProgramData\\*.dll", "C:\\Windows\\Temp\\*.dll", "C:\\Windows\\Tasks\\*.dll") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index c6ef3c6158d..0de4800c418 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -117,6 +117,32 @@ process where host.os.type == "windows" and event.type == "start" and "powerpnt.exe", "winword.exe" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index c4dd1fecba9..5defa4755b1 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -75,6 +75,17 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty - Reset credentials for any user accounts that were active on the affected system during the time of the alert to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for MSBuild and script interpreter activities across the network to detect and respond to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index b235d0cccd2..d1f5b33f2c0 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty - Restore the system from a known good backup if any critical system files or applications have been altered or corrupted. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for MSBuild.exe and related processes to detect similar activities in the future, ensuring alerts are configured for rapid response.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 0dbd8efef6f..de9c899b262 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -117,6 +117,22 @@ process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name == "MSBuild.exe" and not process.name : "MSBuild.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index bd07774ed21..78645dc14fd 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,17 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, of - Escalate the incident to the security operations team for further analysis and to determine if the threat is part of a larger attack campaign. - Implement additional monitoring and logging for MSBuild and related processes to detect any future misuse or anomalies promptly. - Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, ensuring that security controls are effectively blocking unauthorized script execution.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 6c7a52f2e63..cdc05c675f4 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -20,14 +20,6 @@ license = "Elastic License v2" name = "Potential DLL Side-Loading via Trusted Microsoft Programs" risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -91,6 +83,22 @@ DLL side-loading exploits the DLL search order to load malicious code into trust - Update and patch all software on the affected system, focusing on the trusted Microsoft programs identified in the alert, to mitigate vulnerabilities exploited by DLL side-loading. - Monitor the network for any signs of lateral movement or additional compromised systems, using the indicators of compromise identified during the investigation. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems or data have been affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index f47b122f137..fe7ce995f75 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -24,14 +24,6 @@ references = [ ] risk_score = 73 rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -93,6 +85,22 @@ The Microsoft Antimalware Service Executable, a core component of Windows Defend - Investigate the source of the DLL side-loading attempt to determine if it was part of a broader attack campaign, and gather forensic evidence for further analysis. - Escalate the incident to the security operations center (SOC) or incident response team for a deeper investigation and to assess the need for further containment measures. - Implement additional monitoring and alerting for similar anomalies in process execution paths to enhance detection capabilities and prevent recurrence.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index aafffc95638..7120abee2b8 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -76,6 +76,27 @@ In Windows environments, adversaries may exploit file extensions to disguise mal - Review and restore any altered system configurations or files to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar file creation activities to improve detection and response capabilities for future incidents.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 2ee0007f97b..44ce8beaf63 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -174,6 +174,27 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Users\\Public\\Documents\\syspin.exe", "?:\\Users\\Public\\res\\FileWatcher.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 5e37948e8b9..58c977192b3 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -63,6 +63,27 @@ Windows Registry is a hierarchical database storing low-level settings for the O - Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning. - Monitor the system and network for any signs of re-infection or similar registry modifications, adjusting detection rules if necessary to enhance future threat identification. - Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 0dc79543403..ee70981193d 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -88,6 +88,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "/dontLog*:*True" and not process.parent.name : "iissetup.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_indirect_exec_forfiles.toml b/rules/windows/defense_evasion_indirect_exec_forfiles.toml index e458499fd12..2f3f696ec5c 100644 --- a/rules/windows/defense_evasion_indirect_exec_forfiles.toml +++ b/rules/windows/defense_evasion_indirect_exec_forfiles.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -77,6 +77,32 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and (process.name : "forfiles.exe" or ?process.pe.original_file_name == "forfiles.exe") and process.args : ("/c", "-c") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index d0f651bb220..66ac0c9b101 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -78,6 +78,17 @@ InstallUtil.exe is a legitimate Windows utility used for installing and uninstal - Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement network monitoring and alerting for unusual outbound connections from critical systems to enhance detection of similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index bf4b4be6a9d..0511a7f840e 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -91,6 +91,32 @@ The Windows command line debugging utility, cdb.exe, is a legitimate tool used f - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Implement application whitelisting to prevent unauthorized execution of cdb.exe from non-standard paths. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 08fd9150654..3bb0f0ace25 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -107,6 +107,27 @@ Endpoint security solutions, like Elastic and Microsoft Defender, monitor and pr - Update endpoint security solutions and apply any available patches to address vulnerabilities that may have been exploited by the adversary. - Monitor the network and systems for any signs of re-infection or similar suspicious activities, using enhanced logging and alerting based on the identified threat indicators. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml index 4ec3e5ee0e6..611b6a6c2ae 100644 --- a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml +++ b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -200,6 +200,14 @@ Business applications are integral to productivity, often downloaded and install - Review and analyze the process execution logs and any related network activity to understand the scope of the intrusion and identify any other potentially compromised systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement application whitelisting to prevent unauthorized executables from running, ensuring only trusted and signed applications are allowed to execute.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml index 9ea0e913d23..91085dd489a 100644 --- a/rules/windows/defense_evasion_masquerading_communication_apps.toml +++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -126,6 +126,14 @@ Communication apps are integral to modern workflows, facilitating seamless inter - Restore any compromised systems from a known good backup to ensure the integrity of the system and data. - Monitor network traffic and system logs for any signs of lateral movement or further attempts to exploit communication apps. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 15635fea2d0..2553172d635 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -114,6 +114,22 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "AutoIt*.exe" and not process.name : "AutoIt*.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 30695cdb25f..d37cb4b15f3 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -95,6 +95,27 @@ WerFault.exe is a Windows error reporting tool that handles application crashes. - Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats or remnants of the attack. - Monitor network traffic and system logs for any signs of persistence mechanisms or further attempts to exploit the SilentProcessExit mechanism. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 663acbc611e..55c159babcb 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -111,6 +111,32 @@ The Program Files directories in Windows are trusted locations for legitimate so - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement additional monitoring on the affected system and similar environments to detect any recurrence of the threat or similar tactics. - Update security policies and access controls to prevent unauthorized creation of directories that mimic trusted paths, enhancing defenses against similar masquerading attempts.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index fde26ca2cff..c8af94fb510 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -127,6 +127,17 @@ sequence by host.id, process.entity_id with maxspan = 5s network.direction : ("outgoing", "egress") and destination.ip !="::1" and destination.ip !="127.0.0.1" ] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 8d7ee180716..ba882c5bba3 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -132,6 +132,27 @@ registry where host.os.type == "windows" and event.type == "change" and process. "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SubmitSamplesConsent" */ ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 4e470e8ba1a..d5e5006cce6 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -130,6 +130,17 @@ sequence by process.entity_id "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index f749a8499a2..86b0295105f 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/12" integration = ["windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -108,6 +108,22 @@ registry where host.os.type == "windows" and event.type == "change" and registry ) and registry.data.strings : ("0x00000001", "1") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 6742eb34238..3fd6c5e9435 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -150,6 +150,17 @@ sequence by process.entity_id with maxspan=30s "vortex.data.microsoft.com", "api.nuget.org")] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 103bb66acf9..03ca574b24e 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,17 @@ Mshta.exe is a legitimate Windows utility used to execute Microsoft HTML Applica - Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated. - Implement application whitelisting to prevent unauthorized execution of mshta.exe and similar system binaries. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml index dde8076da1a..7420f188780 100644 --- a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml +++ b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -84,6 +84,22 @@ MsiExec is a Windows utility for installing, maintaining, and removing software. - Reset credentials and review access permissions for any accounts that may have been compromised or used during the attack. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and detection rules to identify similar threats in the future, focusing on unusual MsiExec activity and network connections.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 4049b815df4..ff001ba195e 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,17 @@ MsXsl.exe is a legitimate Windows utility used to transform XML data using XSLT - Restore the affected system from a known good backup if any critical system files or configurations have been altered. - Implement network segmentation to limit the ability of msxsl.exe or similar utilities to make unauthorized external connections in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been impacted.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index a8a58c8dbbc..d78eafb6773 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -185,6 +185,17 @@ sequence by process.entity_id with maxspan=5m not startswith~(dns.question.name, host.name) ] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 49a6b6d135d..f42562b4017 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -110,6 +110,14 @@ Parent Process PID Spoofing involves manipulating the parent process identifier - Update and patch the affected system to the latest security standards to close any vulnerabilities that may have been exploited by the adversary. - Implement enhanced monitoring on the affected host and similar systems to detect any recurrence of the threat, focusing on process creation events and parent-child process relationships. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index c2a8f625a6d..eee27e1b167 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -85,6 +85,27 @@ The LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabl - Deploy endpoint detection and response (EDR) tools to monitor for any further suspicious activities or attempts to modify registry settings. - Escalate the incident to the security operations center (SOC) for further investigation and to determine if the threat is part of a larger attack campaign. - Implement additional network segmentation and access controls to limit administrative access to critical systems and reduce the risk of similar threats.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 2521ce2dc82..c61709e5a7c 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -104,6 +104,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "*-Enabled*" and process.args : "*False*" and process.args : ("*-All*", "*Public*", "*Domain*", "*Private*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 83c94bfe8c2..47ec0310a43 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -144,6 +144,14 @@ sequence by host.id with maxspan=5s ) ] by file.path ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index d76195296cf..bd702f6f51c 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -88,6 +88,22 @@ The Microsoft Diagnostics Troubleshooting Wizard (MSDT) is a legitimate tool use - Restore any affected files or system components from a known good backup to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Implement enhanced monitoring and logging for msdt.exe and related processes to detect and respond to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index 00de7eaa076..41cb655a827 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -90,6 +90,27 @@ The DNS Global Query Block List (GQBL) is a security feature in Windows environm - Monitor network traffic for signs of WPAD spoofing or other related attacks, and implement network segmentation to limit the impact of potential threats. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Update security policies and procedures to include specific measures for monitoring and protecting the DNS Global Query Block List, ensuring rapid detection and response to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_right_to_left_override.toml b/rules/windows/defense_evasion_right_to_left_override.toml index b9666969c39..4a0a2cb652b 100644 --- a/rules/windows/defense_evasion_right_to_left_override.toml +++ b/rules/windows/defense_evasion_right_to_left_override.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,6 +85,27 @@ The RTLO character reverses text direction, often used to disguise file extensio - Review and analyze system logs and security alerts to determine the extent of the compromise and identify any lateral movement or additional affected systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary. - Implement enhanced monitoring and detection rules to identify future attempts to use RTLO characters for masquerading, ensuring that similar threats are detected promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_root_dir_ads_creation.toml b/rules/windows/defense_evasion_root_dir_ads_creation.toml index 53311fc30f5..84e8a94e383 100644 --- a/rules/windows/defense_evasion_root_dir_ads_creation.toml +++ b/rules/windows/defense_evasion_root_dir_ads_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,27 @@ Alternate Data Streams (ADS) in Windows allow files to contain multiple streams - Restore affected files from a known good backup to ensure system integrity and remove any compromised data. - Monitor network traffic for unusual patterns or connections that may indicate ongoing malicious activity or data exfiltration attempts. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for broader organizational response measures.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 6979c9fba8b..160a50f880a 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -123,6 +123,17 @@ sequence with maxspan=1h [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "rundll32.exe" ] by process.parent.entity_id ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_sc_sdset.toml b/rules/windows/defense_evasion_sc_sdset.toml index 3bb8cbf9a1c..7010e7d3434 100644 --- a/rules/windows/defense_evasion_sc_sdset.toml +++ b/rules/windows/defense_evasion_sc_sdset.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/10" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -83,6 +83,32 @@ The `sc.exe` utility in Windows is used to manage services, including modifying - Implement additional monitoring on the affected system and similar systems to detect any further attempts to modify service DACLs, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the attack is part of a larger campaign. - Review and update endpoint protection policies to prevent similar threats in the future, ensuring that all systems are equipped with the latest security patches and configurations.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_sccm_scnotification_dll.toml b/rules/windows/defense_evasion_sccm_scnotification_dll.toml index 2e9bde60d3e..e27bee8632e 100644 --- a/rules/windows/defense_evasion_sccm_scnotification_dll.toml +++ b/rules/windows/defense_evasion_sccm_scnotification_dll.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -70,6 +70,14 @@ CcmExec, part of Microsoft's System Center Configuration Manager, manages client - Investigate the source of the untrusted DLL and remove any unauthorized software or scripts that may have facilitated its introduction. - Implement application whitelisting to prevent unauthorized DLLs from being loaded by SCNotification.exe or other critical processes in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index e809d1593fe..39cac1d64bb 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -80,6 +80,27 @@ The AT command, a legacy Windows utility, schedules tasks for execution, often u - Monitor network traffic and logs for any signs of data exfiltration or communication with known malicious IP addresses or domains. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar registry changes across the network to detect and respond to future attempts promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml index efb57856d50..dbfcbcbd4f9 100644 --- a/rules/windows/defense_evasion_script_via_html_app.toml +++ b/rules/windows/defense_evasion_script_via_html_app.toml @@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender" maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -113,6 +113,22 @@ Microsoft HTML Applications (HTA) allow scripts to run in a trusted environment, - Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated. - Implement network segmentation to limit the ability of similar threats to propagate across the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 0afe8f45790..e5992a94907 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -71,6 +71,27 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 04bde56d0d8..289104c3bc0 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ Subject Interface Package (SIP) providers are integral to Windows' cryptographic - Review and update endpoint protection policies to ensure that similar unauthorized modifications are detected and blocked in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 9a2b2cf07ba..a142f7dc585 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,6 +92,27 @@ SolarWinds software is integral for network management, often requiring deep sys - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. - Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized registry changes, leveraging data sources like Sysmon and Microsoft Defender for Endpoint. - Review and update access controls and permissions for SolarWinds processes to limit their ability to modify critical system settings, reducing the risk of future exploitation.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index ae8a631e1a4..81f940524cc 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -138,6 +138,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "certutil.exe" or ?process.pe.original_file_name == "CertUtil.exe") and process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex", "?exportPFX") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 5d6f59d9c2b..50dbbb01388 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,14 +23,6 @@ references = [ ] risk_score = 47 rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -87,6 +79,17 @@ In Windows environments, script interpreters and signed binaries are essential f - Update and patch the system to close any vulnerabilities that may have been exploited by the attacker. - Monitor for any recurrence of similar activities by enhancing logging and alerting mechanisms, focusing on process execution from non-standard directories. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index f7dc5f1cb3b..734be00cfa1 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,6 +85,32 @@ Managed code hosting processes like wscript.exe, cscript.exe, and others are int - Collect and preserve relevant logs and forensic data from the affected system for further analysis and to aid in understanding the scope and impact of the incident. - Notify the security operations center (SOC) or incident response team to escalate the incident for further investigation and to determine if additional systems are affected. - Implement additional monitoring and detection rules to enhance visibility and prevent similar threats in the future, focusing on the specific processes and behaviors identified in the alert.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index 5d6fd9988b6..2d1646465f2 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -104,14 +104,6 @@ references = [ ] risk_score = 73 rule_id = "2dd480be-1263-4d9c-8672-172928f6789a" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index b5b791d4e43..23f2ccd8d87 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,6 +92,17 @@ The scrobj.dll is a legitimate Windows library used for executing scriptlets, of - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the processes identified in the detection rule. - Update detection mechanisms to monitor for similar activities across the network, ensuring that any future attempts to exploit scrobj.dll are promptly identified and addressed.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 68ef0312a42..e42f0b73ce1 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -113,6 +113,22 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and length(process.name) > 0 and length(process.name) == 5 and length(process.pe.original_file_name) > 5 ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 1320e4cf3c8..e1634288d5a 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,17 @@ Windows Management Instrumentation Command-line (WMIC) is a powerful tool for ma - Restore the system from a known good backup if any critical system files or configurations have been altered. - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 71b4c64cb85..295e2223337 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -129,6 +129,32 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 81e748f1336..61260d34c7c 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -125,6 +125,27 @@ file where host.os.type == "windows" and event.type != "deletion" and "userinit.exe", "LogonUI.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index ba8e90302ae..984c131f13f 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -21,14 +21,6 @@ references = [ ] risk_score = 47 rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -160,6 +152,14 @@ DLL side-loading exploits the trust of signed executables to load malicious DLLs - Review and restore any altered system configurations or settings to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has impacted other systems. - Implement additional monitoring and logging on the affected system and network to detect any recurrence or similar threats in the future.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index cdea35a2d56..9ba62379e30 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -115,6 +115,14 @@ driver where host.os.type == "windows" and process.pid == 4 and dll.code_signature.trusted != true and not dll.code_signature.status : ("errorExpired", "errorRevoked", "errorCode_endpoint:*") ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index c8905c48390..7569d464f86 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -160,6 +160,27 @@ file where host.os.type == "windows" and event.type == "creation" and "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 2f097277e2f..2d230bd4e1c 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -75,6 +75,32 @@ Alternate Data Streams (ADS) in Windows allow files to contain multiple data str - Restore any affected files or systems from known good backups to ensure system integrity. - Monitor the network for any unusual outbound traffic from the affected system that may indicate data exfiltration attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 28aae9651a0..a4cbeba99ff 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,17 @@ Dllhost.exe is a legitimate Windows process used to host DLL services. Adversari - Restore the affected system from a known good backup to ensure that any potential backdoors or persistent threats are removed. - Implement network segmentation to limit the ability of similar threats to spread across the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional organizational measures are required.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index f18055065db..1ad10b727d4 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,17 @@ sequence by host.id, process.entity_id with maxspan=1m "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 104bf15fb9a..ea770d0f246 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -91,6 +91,17 @@ sequence by process.entity_id process.name : "rcsi.exe" or process.name : "xwizard.exe")] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index b1eadcddb61..1424efdb2a3 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ In Windows environments, the System process (PID 4) is a critical component resp - Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated through other means. - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the affected system and similar environments to detect any recurrence of the threat, focusing on process creation events and anomalies related to the System process.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 8abbc414825..beb92221eda 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -137,6 +137,22 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index b420a15a18f..fbc2a8e3975 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/02" integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -91,6 +91,27 @@ process where host.os.type == "windows" and event.type == "start" and "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\control.exe" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index fcad58baebe..9e89a64d6a3 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,27 @@ Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on - Reset credentials for any accounts that may have been compromised, especially if sensitive files like /etc/shadow or /etc/passwd were accessed. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for WSL activities across the network to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index cd43a1c7678..ff04426a817 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -108,6 +108,32 @@ Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on - Restore the system from a known good backup if malicious activity has compromised system integrity. - Update and patch the system to ensure all software, including WSL, is up to date to mitigate known vulnerabilities. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index d6481083cd5..74176429e50 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ process where host.os.type == "windows" and event.type : "start" and (process.name : "Dism.exe" or ?process.pe.original_file_name == "DISM.EXE") and process.command_line : "*Microsoft-Windows-Subsystem-Linux*" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index f653d30cd3b..fb0314892d6 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,17 @@ Windows Subsystem for Linux (WSL) allows users to run a Linux environment direct - Update and patch the Windows Subsystem for Linux and related components to mitigate any known vulnerabilities that could be exploited. - Monitor for any recurrence of similar activities by setting up alerts for processes and file operations involving "dllhost.exe" and the Plan9FileSystem. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 3c99fb56080..15d84637450 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -96,6 +96,32 @@ Windows Subsystem for Linux (WSL) allows users to run Linux distributions on Win - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement additional monitoring and alerting for similar activities across the network, focusing on WSL usage and installation attempts of known penetration testing tools. - Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, leveraging data sources like Microsoft Defender for Endpoint and Sysmon.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index 912dbf47093..4222b2250fc 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,27 @@ query = ''' registry where host.os.type == "windows" and event.type == "change" and registry.value : "PackageFamilyName" and registry.path : "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Lxss\\*\\PackageFamilyName" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_active_directory_webservice.toml b/rules/windows/discovery_active_directory_webservice.toml index 56600c5238b..2e456a24867 100644 --- a/rules/windows/discovery_active_directory_webservice.toml +++ b/rules/windows/discovery_active_directory_webservice.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -79,6 +79,14 @@ Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) o - Implement network segmentation to limit access to the ADWS port (9389) to only trusted systems and users. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Update and enhance monitoring rules to detect similar enumeration attempts in the future, focusing on unusual process behavior and network connections to critical services.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 5f7fdd3601a..23ba1a8f22c 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -102,6 +102,32 @@ process where host.os.type == "windows" and event.type == "start" and "objectcategory=attributeschema", "(objectcategory=attributeschema)", "domainlist", "dcmodes", "adinfo", "dclist", "computers_pwnotreqd", "trustdmp") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index c6859be0da9..fc792c4efa7 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -93,6 +93,27 @@ process where host.os.type == "windows" and event.type == "start" and ) ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 6a9ece61262..17ac9925a1a 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -48,14 +48,6 @@ This rule looks for the execution of account discovery utilities using the SYSTE """ risk_score = 21 rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -81,6 +73,17 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index fd505cadcf7..8f757df9eac 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -91,6 +91,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "dsquery.exe" or ?process.pe.original_file_name: "dsquery.exe") and process.args : "*objectClass=trustedDomain*" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 2ae2c9980bd..ed9eac30f79 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -97,6 +97,27 @@ process where host.os.type == "windows" and event.type == "start" and not process.parent.name : "PDQInventoryScanner.exe" and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index 383c06fb8ee..3575d25093a 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/18" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,6 +85,32 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and (process.name: "gpresult.exe" or ?process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 91b672472ac..c34ce157214 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "fsutil.exe" or ?process.pe.original_file_name == "fsutil.exe") and process.args : "fsinfo" and process.args : "drives" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 0ec10e4606e..4af1d60a120 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -109,6 +109,22 @@ process where host.os.type == "windows" and event.type == "start" and process.na process.parent.name : ("wsmprovhost.exe", "w3wp.exe", "wmiprvse.exe", "rundll32.exe", "regsvr32.exe") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 3cc541369c6..946692186cf 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -98,6 +98,32 @@ SolarWinds is a widely used IT management tool that can be targeted by adversari - Update and patch the SolarWinds software and any other vulnerable applications on the affected system to mitigate known vulnerabilities. - Implement application whitelisting to prevent unauthorized execution of command-line interpreters from SolarWinds processes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index a3ec450fcf1..77cdb3576b3 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." @@ -94,6 +94,22 @@ SolarWinds is a widely used IT management software that operates critical networ - Update all SolarWinds software and related components to the latest versions to patch any known vulnerabilities that could be exploited. - Implement enhanced monitoring on the affected system and similar environments to detect any recurrence of suspicious activity, focusing on unusual child processes spawned by SolarWinds services. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if broader organizational impacts need to be addressed.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 5ae3834e292..f668fc85f63 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,32 @@ The Windows Component Object Model (COM) facilitates communication between softw - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Monitor the network for any signs of similar activity or related threats, ensuring that detection systems are tuned to identify variations of this attack. - Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index de4625a0534..fa795ac16a8 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -137,6 +137,17 @@ sequence by process.entity_id "wpad", "localhost", "ocsp.comodoca.com", "ocsp.digicert.com", "ocsp.sectigo.com", "crl.comodoca.com" )] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 00d3e93161d..b832b0eab80 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -127,6 +127,27 @@ host.os.type:windows and event.category:process and event.type:start and process process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") and not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.filters]] [rule.filters.meta] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 40d0ede836f..a44d497e441 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -16,14 +16,6 @@ license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" @@ -94,6 +86,27 @@ Cmd.exe is a command-line interpreter on Windows systems, often used for legitim - Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for cmd.exe and its parent processes to detect similar anomalies in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index ba8b8c5ee03..8cc4f4bdf44 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -78,6 +78,27 @@ RunDLL32 is a legitimate Windows utility used to execute functions in DLLs, ofte - Reset credentials for any user accounts that were active on the affected system during the time of the alert to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for rundll32.exe and related processes to detect similar activities in the future and improve response times.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index 906e6cd1566..768deb306d4 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -99,6 +99,14 @@ Ping, a network utility, can be misused by attackers to delay execution of malic - Restore the system from a known good backup if malware removal is not feasible or if the system's integrity is in question. - Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the alert. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index d4347a8e04b..1a8ebb440e9 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -66,6 +66,14 @@ Shortcut files (.lnk) are used in Windows environments to link to executable fil - Restore the system from a known good backup if any critical system files or configurations have been compromised. - Notify the security team and relevant stakeholders about the incident for awareness and further investigation. - Update security policies and rules to block similar phishing attempts in the future, such as restricting the execution of .lnk files from untrusted sources.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index c667ef43f73..1feab15a9eb 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -68,6 +68,14 @@ URL shortcut files, typically used for quick access to web resources, can be exp - Review and analyze the network logs to identify any other systems that may have downloaded similar .url files and apply the same containment measures. - Escalate the incident to the security operations team for further investigation and to determine if there is a broader campaign targeting the organization. - Update security policies and endpoint protection configurations to block the download and execution of .url files from untrusted sources in the future.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 89da740cdd5..9e6c5942dec 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -97,6 +97,32 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Restore the system from a known good backup if any malicious activity is confirmed and cannot be remediated through other means. - Implement additional monitoring on the affected system and network to detect any recurrence of similar suspicious activities. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index efa858c22c5..5a54d34d2f1 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -234,6 +234,27 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Windows\\System32\\igfxCUIService.exe", "?:\\Windows\\Temp\\IE*.tmp\\IE*-support\\ienrcore.exe")) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index bcdefc39bd2..27b7387606c 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -136,6 +136,17 @@ sequence by process.entity_id "FE80::/10", "FF00::/8") and not dns.question.name : "localhost"] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index b84a036135b..5e7e789985d 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -89,6 +89,32 @@ Foxmail, a popular email client, can be exploited by adversaries to gain initial - Apply any available security patches or updates to Foxmail and the operating system to mitigate known vulnerabilities and prevent future exploitation. - Monitor the network and systems for any signs of lateral movement or additional compromise, using indicators of compromise (IOCs) identified during the investigation. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional actions are required based on the scope and impact of the threat.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 38df66142d3..02c20f808be 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/17" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -66,6 +66,27 @@ process where host.os.type == "windows" and event.type == "start" and process.parent.executable : "?:\\Windows\\System32\\mmc.exe" and endswith~(process.parent.args, ".msc") and not process.parent.args : ("?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", "?:\\Program Files (x86)\\*.msc") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_initial_access_wps_dll_exploit.toml b/rules/windows/execution_initial_access_wps_dll_exploit.toml index fb3d4878c02..45921a558fb 100644 --- a/rules/windows/execution_initial_access_wps_dll_exploit.toml +++ b/rules/windows/execution_initial_access_wps_dll_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,17 @@ DLL hijacking exploits the way applications load dynamic link libraries (DLLs), - Apply patches or updates for WPS Office to address the vulnerabilities CVE-2024-7262 and CVE-2024-7263, ensuring that the software is up to date and less susceptible to exploitation. - Monitor for any further suspicious activity related to the ksoqing protocol or similar DLL hijacking attempts, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index a20ec6e9ab6..052ebb34bad 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -86,6 +86,27 @@ Mofcomp.exe is a tool used to compile Managed Object Format (MOF) files, which d - Restore the system from a known good backup if unauthorized changes to the WMI repository or system files are detected. - Monitor for any recurrence of similar activity by setting up alerts for unusual mofcomp.exe executions and unauthorized WMI modifications. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 979a2d927a3..7a9cb5ac6ed 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/06" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -94,6 +94,14 @@ sequence with maxspan=2h not (process.name : "ShareFileForOutlook-v*.exe" and process.code_signature.subject_name : "Citrix Systems, Inc." and process.code_signature.trusted == true) ] by host.id, process.executable ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index e4f0ffccc51..64d30bcf99f 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -102,6 +102,17 @@ sequence with maxspan=2h ] by host.id, file.path [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index f047239b766..1744a676ae4 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender" maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -79,6 +79,22 @@ PowerShell, a powerful scripting language in Windows, is often targeted by adver - Restore the system from a known good backup if any critical system files or configurations have been altered by the malicious activity. - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 4b9ca9d1175..e5d2e67ad59 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -90,6 +90,17 @@ sequence by process.entity_id not process.parent.executable : "?:\\Program Files (x86)\\Cynet\\Cynet Scanner\\CynetScanner.exe"] [network where host.os.type == "windows" and process.name : "PsExec.exe"] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index fd36af956e9..7a7d70b4fc9 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -139,6 +139,17 @@ sequence by process.entity_id "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8") and network.protocol != "dns"] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 342cf86e9e1..5fd7cc25adc 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -80,6 +80,17 @@ PowerShell, a powerful scripting language in Windows, can automate tasks via the - Reset credentials for any accounts that were used or potentially compromised during the incident to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the attack. - Implement enhanced monitoring for similar PowerShell and scheduled task activities across the network to detect and respond to future threats promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index f492ba75def..80c2a5ecd0b 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -44,6 +44,27 @@ type = "eql" query = ''' file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 1e94cbd2b8d..d32abfbd24b 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -91,6 +91,32 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. - Enhance monitoring and logging for WMI activities across the network to detect similar threats in the future, ensuring that logs are retained for an adequate period for forensic purposes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index be4da0bf53a..26a1789065d 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,14 +23,6 @@ references = [ ] risk_score = 21 rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -85,6 +77,17 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Restore the system from a known good backup if malicious activity has compromised system integrity or data. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for WMI activity and Microsoft Office processes to detect similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 20a79ff7b30..eacb179f16d 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -111,6 +111,32 @@ process where host.os.type == "windows" and event.type == "start" and "forfiles.exe", "schtasks.exe", "regasm.exe", "regsvcs.exe", "cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "bitsadmin.exe", "certutil.exe", "ftp.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 9a59c84b8db..840d7e4ca0b 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -92,6 +92,14 @@ host.os.type:windows and event.category:library and process.code_signature.subject_name:"Chocolatey Software, Inc." and process.code_signature.trusted:true ) and not process.executable.caseless : "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index ba63a982901..cf4e279da59 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -70,6 +70,22 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 7e4d4e6316e..aa38a4b2179 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -143,6 +143,32 @@ process where host.os.type == "windows" and event.type == "start" and process.parent.name : "hh.exe" and process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 0ce73c893f8..3b6b5211104 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -98,6 +98,27 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\WINDOWS\\system32\\PcaSvc.dll,PcaPatchSdbTask", "?:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie")) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 3dbd41d9eeb..bd46d8955e1 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -96,6 +96,32 @@ Microsoft Management Console (MMC) is a Windows utility that provides a framewor - Restore the system from a known good backup if any unauthorized changes or damage is detected. - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index b3c492dadc3..f65b1a77691 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender" maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -140,6 +140,22 @@ The Windows Command Shell (cmd.exe) is a critical component for executing comman - Analyze the command-line arguments and parent processes involved in the alert to understand the scope and origin of the threat, and identify any additional compromised systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary. - Implement additional monitoring and detection rules to identify similar suspicious command-line activities in the future, enhancing the organization's ability to detect and respond to such threats promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index 243c923f96d..fe463dd5b0d 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender" maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -142,6 +142,27 @@ PowerShell is a powerful scripting language and command-line shell used for task - Restore any affected files or system components from known good backups to ensure system integrity and functionality. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. - Implement additional monitoring and logging for PowerShell activities across the network to enhance detection of similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index 828b9b149c2..c25cfeeac42 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Mark of The Web enrichment was added to Elastic Defend file events in 8.15.0." min_stack_version = "8.15.0" -updated_date = "2025/02/14" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -81,6 +81,14 @@ Windows scripts, often used for legitimate automation tasks, can be exploited by - Review and analyze the origin URL and referrer URL of the downloaded script to identify potential malicious websites or compromised sources, and block these URLs at the network level. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement application whitelisting to restrict the execution of unauthorized scripts and scripting utilities, reducing the risk of similar threats in the future.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 68dd5e0a326..558fb6b673f 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -115,6 +115,27 @@ Server Message Block (SMB) is a protocol used for sharing files and printers wit - Implement network segmentation to limit SMB traffic to only necessary internal communications, reducing the risk of external exposure. - Enhance monitoring and logging for SMB traffic, particularly for connections to external IPs, to detect and respond to future anomalies more effectively. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 1e0c2a2c735..84750c5ccee 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/01" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2025/02/24" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." @@ -62,14 +62,6 @@ This rule identifies file deletions performed by a process that does not belong references = ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"] risk_score = 47 rule_id = "11ea6bec-ebde-4d71-a8e9-784948f8e3e9" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -114,6 +106,22 @@ file where host.os.type == "windows" and event.type == "deletion" and "?:\\$RECYCLE.BIN\\*" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index ef7a9c714fb..4eac8739945 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -91,6 +91,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "wbadmin.exe" or ?process.pe.original_file_name == "WBADMIN.EXE") and process.args : "catalog" and process.args : "delete" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index f7f1fab038e..26c3d7f8e19 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ query = ''' event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index ca19fcf0a17..07120ad6d5d 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -94,6 +94,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.args : "no" and process.args : "recoveryenabled") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml index 7f585c29ae5..d817b7976b9 100644 --- a/rules/windows/impact_ransomware_file_rename_smb.toml +++ b/rules/windows/impact_ransomware_file_rename_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -78,6 +78,14 @@ sequence by host.id with maxspan=1s file.Ext.original.name : ("*.jpg", "*.bmp", "*.png", "*.pdf", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.lnk") and not file.extension : ("jpg", "bmp", "png", "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "*.lnk")] with runs=3 ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml index 392a87fdba2..5361334694e 100644 --- a/rules/windows/impact_ransomware_note_file_over_smb.toml +++ b/rules/windows/impact_ransomware_note_file_over_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -78,6 +78,14 @@ sequence by host.id with maxspan=1s /* ransom file name keywords */ file.name : ("*read*me*", "*lock*", "*@*", "*RECOVER*", "*decrypt*", "*restore*file*", "*FILES_BACK*", "*how*to*")] with runs=3 ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index e0b021c713f..99703760cfc 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system"] min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -78,6 +78,17 @@ event.category:process and host.os.type:windows and event.type:start and process process.args:(stop or pause or delete or "/PID" or "/IM" or "/T" or "/F" or "/t" or "/f" or "/im" or "/pid") and not process.parent.name:osquerybeat.exe ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 9e46ab442d5..d1af127ed94 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -109,6 +109,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "vssadmin.exe" or ?process.pe.original_file_name == "VSSADMIN.EXE") and process.args : ("delete", "resize") and process.args : "shadows*" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 7128d3f9782..487aed05f1e 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -116,6 +116,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : ("*Win32_ShadowCopy*") and process.args : ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 69440e7f126..e9aa21a3983 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -110,6 +110,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "WMIC.exe" or ?process.pe.original_file_name == "wmic.exe") and process.args : "delete" and process.args : "shadowcopy" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 83b0ab0edd9..eee5d0fa256 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -54,14 +54,6 @@ HTML files, typically used for web content, can be exploited by adversaries to s This rule may have a low to medium performance impact due variety of file paths potentially matching each EQL sequence.""" risk_score = 47 rule_id = "f0493cb4-9b15-43a9-9359-68c23a7f2cf3" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -107,6 +99,14 @@ sequence by user.id with maxspan=2m "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.htm*", "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*.htm*")] ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index c0d363686dd..806fe036d82 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -97,6 +97,32 @@ The INetCache folder stores temporary internet files, which can be exploited by - Review and analyze recent email logs and web browsing history to identify potential phishing attempts or malicious downloads that may have led to the initial compromise. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the INetCache directory and related processes to detect similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_execution_from_removable_media.toml b/rules/windows/initial_access_execution_from_removable_media.toml index 839778a74ba..b7dd16ae474 100644 --- a/rules/windows/initial_access_execution_from_removable_media.toml +++ b/rules/windows/initial_access_execution_from_removable_media.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -76,6 +76,14 @@ Removable media, like USB drives, are often used for data transfer but can be ex - Collect and preserve relevant logs and forensic evidence from the affected system and removable media for further analysis and potential legal action. - Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine if other systems may be affected. - Implement enhanced monitoring and alerting for similar activities, focusing on process executions from removable media and unauthorized network connection attempts.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml index 313b2343f65..e06c19281c7 100644 --- a/rules/windows/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -97,6 +97,14 @@ MSIEXEC, the Windows Installer, facilitates software installation, modification, - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. This includes applying all relevant Windows updates and security patches. - Enhance monitoring and logging on the affected system and network to detect any similar future attempts. Ensure that all relevant security events are being captured and analyzed. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. Provide them with all relevant logs and findings for a comprehensive analysis.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index 153315f0ba3..f04cdc121e6 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -116,6 +116,27 @@ Microsoft Office Add-Ins enhance productivity by integrating additional features - Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning alone. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement additional monitoring and alerting for similar suspicious activities to enhance detection and response capabilities for future incidents.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index e1355901be6..bced969de58 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funne min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -84,6 +84,27 @@ Removable devices, like USB drives, are common in Windows environments for data - Notify the security team and relevant stakeholders about the incident, providing details of the device and any identified threats. - Implement a temporary block on the use of removable devices across the network until the threat is fully contained and remediated. - Enhance monitoring and detection capabilities by updating security tools and rules to better identify similar threats in the future, focusing on registry changes and device connections.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index e5635dbfb0b..7c0e58a8348 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -108,6 +108,27 @@ JetBrains TeamCity is a continuous integration and deployment server used to aut - Restore the affected system from a clean backup taken before the suspicious activity was detected, ensuring no remnants of the exploit remain. - Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on the indicators identified in the detection rule. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml index f0bf748ded6..c6d9ba08a2a 100644 --- a/rules/windows/initial_access_rdp_file_mail_attachment.toml +++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -95,6 +95,27 @@ Remote Desktop Protocol (RDP) allows users to connect to and control a computer - Reset credentials for any accounts that were used to open the suspicious RDP files, ensuring that new passwords are strong and unique. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more effectively in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 58ba10b2d4f..a690dcd7d8e 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -96,6 +96,27 @@ process where host.os.type == "windows" and event.type == "start" and process.parent.args : "?:\\ProgramData\\intune-drive-mapping-generator\\DriveMapping.ps1" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 9676c40e1b9..cbec1c3f280 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -104,6 +104,17 @@ Windows Management Instrumentation (WMI) is a powerful Windows feature that allo - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger campaign. - Implement additional monitoring and alerting for similar activities across the network, focusing on WMI-based script execution and non-standard process launches. - Review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 07be27f4b51..64036250033 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -76,6 +76,27 @@ file where host.os.type == "windows" and event.type == "creation" and not file.name : "TimeoutLogoff.aspx") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 2ab66ef3731..71f069ac1c9 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -118,6 +118,32 @@ Microsoft Exchange Server's Unified Messaging (UM) integrates voice messaging wi - Restore the server from a known good backup taken before the suspicious activity was detected, ensuring that the backup is free from compromise. - Implement enhanced monitoring and alerting for any future suspicious processes spawned by the UM service, using the detection rule as a baseline. - Escalate the incident to the organization's security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 8ed1234cc95..fd4708c949e 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ Microsoft Exchange Server uses the worker process (w3wp.exe) to handle web reque - Apply the latest security patches and updates to the Microsoft Exchange Server to mitigate known vulnerabilities and prevent exploitation. - Monitor network traffic and server logs for any signs of continued or attempted exploitation, focusing on unusual outbound connections or repeated access attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 98c8386fb66..63d15390d58 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -121,6 +121,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "srchadmin.dll" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index d55d70ce628..7e8e5f648f6 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -108,6 +108,32 @@ process where host.os.type == "windows" and event.type == "start" and "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe", "xwizard.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index c92b3bf2588..8d003a851fc 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -87,6 +87,27 @@ Windows Explorer, a core component of the Windows OS, manages file and folder na - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. - Implement additional monitoring and alerting for similar suspicious activities involving explorer.exe to enhance detection capabilities and prevent recurrence. - Review and update endpoint security policies to restrict the execution of potentially malicious scripts or executables from explorer.exe, especially when initiated via DCOM.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index c3bce1a876a..d0e9d54be6e 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -90,6 +90,32 @@ ScreenConnect, a remote support tool, allows administrators to control systems r - Apply security patches and updates to the ScreenConnect server and any other vulnerable applications to mitigate exploitation risks. - Restore the system from a known good backup if evidence of compromise is confirmed, ensuring that the backup is free from malicious artifacts. - Report the incident to the appropriate internal security team or external authorities if required, providing them with detailed findings and evidence for further investigation.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml index 2a1b8903abd..cc80db346b6 100644 --- a/rules/windows/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -78,6 +78,14 @@ The Microsoft.XMLDOM COM interface allows applications to parse and transform XM - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement application whitelisting to restrict the execution of unauthorized scripts and executables, particularly those not located in standard directories. - Enhance monitoring and alerting for similar activities by ensuring that the detection rule is actively deployed and that alerts are configured to notify the appropriate personnel promptly.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 4ad06eacfbe..7d234617e67 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -78,6 +78,17 @@ The Service Control Manager in Windows allows for the management of services, wh - Restore the affected system from a known good backup if any malicious modifications or persistent threats are detected. - Implement network segmentation to limit the ability of adversaries to move laterally across the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index b9061b5cb2c..f69d8ee24de 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,17 @@ DCOM allows software components to communicate over a network, enabling remote e - Review and restrict DCOM permissions and configurations on the affected host and other critical systems to limit the potential for similar attacks. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems have been compromised. - Update detection mechanisms and threat intelligence feeds to enhance monitoring for similar DCOM-based lateral movement attempts in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index d52089db2a5..d557541e7e9 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,17 @@ Distributed Component Object Model (DCOM) enables software components to communi - Apply patches and updates to the affected systems and any other vulnerable systems in the network to mitigate known vulnerabilities that could be exploited. - Implement network segmentation to limit the ability of threats to move laterally within the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional actions are necessary.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index b810f2ddc96..5a239d5c2ed 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,17 @@ DCOM enables software components to communicate over a network, often used in Wi - Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited during the attack. - Enhance monitoring and logging on the network to detect similar DCOM abuse attempts, ensuring that alerts are configured for high TCP port activity and unusual process spawning by explorer.exe. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment or remediation actions are necessary.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index 0b12322e3fe..d1fd9ca7458 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ The NullSessionPipe registry setting in Windows defines which named pipes can be - Reset credentials for any accounts that may have been compromised or used in conjunction with the unauthorized access to ensure they cannot be reused by adversaries. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been affected. - Implement enhanced monitoring and alerting for changes to the NullSessionPipes registry key and similar registry paths to detect and respond to future unauthorized modifications promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index b12114c9f3a..4cb9f0d2612 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -136,6 +136,14 @@ sequence by process.entity_id with maxspan=1m /* second sequence to capture network connections over port 445 related to SMB */ [network where host.os.type == "windows" and destination.port == 445 and process.pid != 4] ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index 5fc5de9d829..d5b01958795 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,27 @@ Remote Desktop Shadowing allows administrators to view or control active RDP ses - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more quickly in the future. - Review and update RDP access policies and configurations to ensure they align with best practices, such as enforcing multi-factor authentication and limiting RDP access to only necessary users and systems.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 5c039bad93b..dd2ec921758 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -83,6 +83,14 @@ sequence by host.id with maxspan=30s [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and (file.Ext.header_bytes : "4d5a*" or file.extension : ("exe", "scr", "pif", "com", "dll"))] by process.entity_id ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index fefd0ad1ad7..a2c6cf618a8 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ The TSClient mountpoint is a feature of the Remote Desktop Protocol (RDP) that a - Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. - Implement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface for similar threats. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index b92e8e796b4..9529664a940 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/05" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -162,6 +162,14 @@ sequence with maxspan=1m ) ] by host.id, process.executable ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 5997eaad182..46eed2da92b 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,17 @@ Windows Remote Management (WinRM) is a protocol that allows for remote managemen - Restore the affected system from a known good backup if any malicious activity or unauthorized changes are confirmed. - Implement network segmentation to limit the ability of threats to move laterally across the network, focusing on restricting access to critical systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 20f3b01c567..6c7cfabd1a2 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -95,6 +95,17 @@ Windows Management Instrumentation (WMI) is a core Windows feature enabling remo - Apply patches and updates to the affected host and any other systems that may be vulnerable to similar exploitation methods, ensuring that all security updates are current. - Enhance monitoring and logging for WMI activity across the network to detect and respond to similar threats more quickly in the future. This includes setting up alerts for unusual WMI usage patterns. - If the threat is confirmed to be part of a larger attack, escalate the incident to the appropriate security team or authority for further investigation and potential legal action.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 3489b44f56e..b443b2ad0e7 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,6 +92,32 @@ WebDav and hidden remote shares facilitate file sharing and collaboration across - Implement network segmentation to limit access to critical systems and sensitive data, reducing the risk of lateral movement. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Enhance monitoring and alerting for similar activities by ensuring that all relevant security tools are configured to detect and alert on suspicious use of net.exe and net1.exe.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 86d159976c9..f91f743f1cf 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -88,6 +88,17 @@ PowerShell Remoting enables administrators to execute commands on remote Windows - Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited. - Enhance monitoring on the network for unusual activity on ports 5985 and 5986 to detect any future attempts at unauthorized PowerShell Remoting. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index be8f3779dbc..b8b4737422d 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -87,6 +87,27 @@ registry where host.os.type == "windows" and event.type == "change" and "?:\\Windows\\WinSxS\\*\\TiWorker.exe", "?:\\Windows\\system32\\svchost.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 2ba965eb464..e025306fd17 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -86,6 +86,14 @@ Remote Desktop Protocol (RDP) enables users to connect to and control remote sys - Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent further unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for RDP connections and registry changes to detect and respond to similar threats more effectively in the future.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 31ed56556a6..52bdae8cb9b 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -91,6 +91,32 @@ In Windows environments, hidden network shares are often used for legitimate adm - Review and restrict permissions on network shares, especially hidden shares, to ensure only authorized users have access. - Monitor network traffic for any further suspicious activity related to hidden shares and lateral movement attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index bd46ed742ba..0e96c1beaf6 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -159,6 +159,17 @@ sequence with maxspan=1s "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe" )] by host.id, process.parent.entity_id ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 962d7dc4f30..cd45f0bdeb5 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -73,6 +73,17 @@ sequence by host.id, process.entity_id with maxspan = 1m [registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 49b26a6d28e..2ba17b8b36f 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,14 +23,6 @@ references = [ ] risk_score = 47 rule_id = "71c5cb27-eca5-4151-bb47-64bc3f883270" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -103,6 +95,17 @@ The Remote Desktop Services ActiveX Client, mstscax.dll, facilitates remote desk - Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. - Implement network segmentation to limit the ability of adversaries to move laterally within the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index 805ca9ee914..e096bd5aa1c 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,32 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and not process.name : "conhost.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index 6518800cbef..5998a02e2b7 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/17" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -54,6 +54,17 @@ file where host.os.type == "windows" and process.name : "dns.exe" and event.type /* DNS logs with custom names, header converts to "DNS Server log" */ not ?file.Ext.header_bytes : "444e5320536572766572206c6f67*" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 51f0b83aabc..fc0475f46c1 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,27 @@ The Windows Startup folder is a mechanism that allows programs to run automatica - Review and reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for RDP and SMB activities, focusing on unusual file creation events in Startup folders, to improve detection of similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 0b3bbc35872..2253ca08856 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -90,6 +90,32 @@ Windows Server Update Services (WSUS) is a system that manages updates for Micro - Reset credentials for any accounts that may have been compromised or used in the lateral movement attempt, especially those with administrative privileges. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been affected. - Implement enhanced monitoring and logging for WSUS activities and PsExec executions to detect and respond to similar threats more effectively in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 9861af7bf42..d17e66e0e00 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -92,14 +92,6 @@ Attackers can replace the `RdrCEF.exe` executable with their own to maintain the references = ["https://twitter.com/pabraeken/status/997997818362155008"] risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" @@ -111,6 +103,27 @@ file where host.os.type == "windows" and event.type == "creation" and "?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe") and not process.name : "msiexec.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index caae92210c6..6aeaa94c447 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,27 @@ Application Compatibility Shim databases are used in Windows to ensure older app - Review and restore any altered system configurations or files to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the specified registry paths and associated processes to detect and respond to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 6a6a98051b5..cf792a4b446 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -19,14 +19,6 @@ license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" risk_score = 47 rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" @@ -75,6 +67,27 @@ AppCert DLLs are dynamic link libraries that can be configured to load with ever - Review and restore any system files or configurations that may have been altered by the malicious DLLs to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the specific registry paths and related process creation activities to detect any future unauthorized changes promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index b0ae3c89326..b77dc227c9a 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -135,6 +135,27 @@ registry where host.os.type == "windows" and event.type == "change" and "?:\\Program Files\\NVIDIA Corporation\\Display.NvContainer\\NVDisplay.Container.exe" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index b4876433481..f145322230c 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -96,6 +96,27 @@ Browser extensions enhance functionality in web browsers but can be exploited by - Review and reset browser settings to default to ensure no residual configurations or settings are left by the malicious extension. - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. - Implement application whitelisting to prevent unauthorized browser extensions from being installed in the future, focusing on the directories and file types identified in the detection query.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 71504064689..a985a39ed75 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -75,6 +75,27 @@ registry where host.os.type == "windows" and event.type == "change" and "MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 94f25c785e8..e49b7c3322b 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -93,6 +93,27 @@ Image File Execution Options (IFEO) is a Windows feature allowing developers to - Review and restore any altered or deleted system files from a known good backup to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for registry changes related to IFEO to detect and respond to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 56a73df3705..eedb3d3942f 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -148,6 +148,27 @@ registry where host.os.type == "windows" and event.type == "change" and "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index d6ffe953c3e..e46b48d1108 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -76,6 +76,27 @@ Scheduled jobs in Windows environments allow tasks to be automated by executing - Review and audit other scheduled tasks on the system to ensure no additional unauthorized or suspicious jobs are present. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected. - Implement enhanced monitoring and alerting for scheduled job creation activities across the network to detect similar threats in the future, leveraging the specific query fields used in the detection rule.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index d8d21c6d8ab..2c71ea83e8b 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,17 @@ Scheduled tasks in Windows automate routine tasks, but adversaries exploit them - Analyze the user account involved in the task creation for signs of compromise, and reset credentials if necessary to prevent further unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for scheduled task creation events to detect similar threats in the future, ensuring alerts are configured to notify the appropriate teams promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index caa7c4dfb56..d76a96d59ee 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -55,6 +55,17 @@ sequence by host.id with maxspan = 30s "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions" )] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index b85c801827d..650f6eb7ff8 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -78,6 +78,27 @@ Microsoft Office AddIns enhance productivity by allowing custom functionalities - Review and restore any altered system configurations or settings to their default state to ensure system integrity. - Monitor the affected system and network for any signs of re-infection or related suspicious activity, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 5ce927e6f48..1e85b7b4336 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -77,6 +77,27 @@ Microsoft Outlook supports VBA scripting to automate tasks, which can be exploit - Conduct a full antivirus and antimalware scan on the affected endpoint using tools like Microsoft Defender for Endpoint to identify and remove any additional threats. - Review and update endpoint security policies to restrict unauthorized modifications to Outlook VBA files, leveraging application whitelisting or similar controls. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_msi_installer_task_startup.toml b/rules/windows/persistence_msi_installer_task_startup.toml index 67b1a2b8cf3..0615d07ac3e 100644 --- a/rules/windows/persistence_msi_installer_task_startup.toml +++ b/rules/windows/persistence_msi_installer_task_startup.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -85,6 +85,14 @@ Windows Installer, through msiexec.exe, facilitates software installation and co - Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. - Review and update security policies to restrict the use of msiexec.exe for non-administrative users, reducing the risk of exploitation. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index ac992d40a27..60bd0fc0f33 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." @@ -77,6 +77,27 @@ The Office Test Registry key in Windows environments allows specifying a DLL to - Review recent user activity and system logs to identify any unauthorized access or changes that may have led to the registry modification, and reset credentials if necessary. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar registry modifications across the network to detect and respond to future attempts promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index 508ccf74a61..2496da18793 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -77,6 +77,27 @@ Netsh, a command-line utility in Windows, allows for network configuration and d - Review and restore any altered system configurations to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for registry changes related to Netsh Helper DLLs to detect similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index d43d6d6685d..8b8ea3adeba 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,6 +92,32 @@ ActiveSync is a protocol enabling mobile devices to synchronize with Exchange ma - Notify the security team and relevant stakeholders about the incident for further investigation and potential escalation. - Implement additional monitoring on the affected account and similar accounts for any unusual activity or further attempts to add unauthorized devices. - Review and update the organization's security policies and procedures related to mobile device access and PowerShell usage to prevent recurrence.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 429be36cbb6..72b1b35fa2a 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -127,6 +127,27 @@ file where host.os.type == "windows" and event.type != "deletion" and "?:\\Windows\\System32\\WindowsPowerShell\\*") and file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 6e23f13d359..f029a927694 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -148,6 +148,22 @@ process where host.os.type == "windows" and event.type == "start" and /* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */ /* and process.code_signature.subject_name == "Microsoft Windows" and process.code_signature.status == "trusted" */ ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index bdfb1d87180..4fc958fd877 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -151,6 +151,17 @@ Windows Registry is a critical system database storing configuration settings. A - Review and update endpoint protection policies to ensure that similar registry changes are monitored and alerted on in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 989c93c945a..a27f536872f 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -306,6 +306,14 @@ registry where host.os.type == "windows" and event.type == "change" and ) ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 9c3d573ec62..b53b2c164ca 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -87,6 +87,17 @@ Persistent programs, like scripts or rundll32, are often used by adversaries to - Review and restore any modified system configurations or registry settings to their default or secure state. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the affected host and similar systems to detect any recurrence or related suspicious activities.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index cbd24408d74..a371018ad9d 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -163,6 +163,14 @@ Svchost.exe is a critical Windows process that hosts multiple services, allowing - Review and restore any modified system configurations or settings to their original state to ensure system integrity. - Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for svchost.exe and DLL loading activities to detect similar threats in the future.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 45a0fd20e7b..e318d0eaa24 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,27 @@ Windows services are crucial for running background processes. Adversaries may e - Review and update endpoint protection policies to ensure that similar unauthorized registry modifications are detected and blocked in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 8a9b9603c59..0758146e4bb 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -145,6 +145,27 @@ file where host.os.type == "windows" and event.type != "deletion" and "iexplore.exe", "InstallUtil.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 12ea89d5a27..3b5fe2dabcd 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -127,6 +127,14 @@ sequence by host.id, process.entity_id with maxspan=5s "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") ] ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 84bfe1d5aba..ce208aa7b68 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -136,6 +136,27 @@ file where host.os.type == "windows" and event.type != "deletion" and "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index e436e53ec15..7c37a3ecf1c 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -61,14 +61,6 @@ references = [ ] risk_score = 47 rule_id = "16a52c14-7883-47af-8745-9357803f0d4c" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -137,6 +129,14 @@ registry where host.os.type == "windows" and event.type == "change" and "?:\\Windows\\System32\\DriverStore\\FileRepository\\*.exe", "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe") ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 380f74446f4..e399e4b3c28 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -116,14 +116,6 @@ references = [ ] risk_score = 21 rule_id = "baa5d22c-5e1c-4f33-bfc9-efa73bb53022" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -145,6 +137,17 @@ any where host.os.type == "windows" and process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index ddea5aed90f..9e1af140f88 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -108,6 +108,14 @@ Scheduled tasks in Windows automate routine tasks, but adversaries exploit them - Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised. - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for scheduled tasks and the flagged executables to detect similar threats in the future.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index ff5705b38f7..6f2ffea80c4 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,27 @@ Windows services are crucial for running background processes. Adversaries explo - Review and restore any modified system files or configurations to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar registry changes and suspicious service creations to detect and respond to future threats promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index c8428323a3a..a79be508608 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/02" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.15.0" min_stack_comments = "Elastic Defend WMI events were added in Elastic Defend 8.15.0." @@ -80,6 +80,17 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Review and reset any compromised credentials, especially if SYSTEM privileges were potentially accessed or escalated. - Monitor the network for any signs of similar activity or attempts to recreate the WMI event subscription, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 2e166e46f76..35ffaf78fd5 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -117,6 +117,32 @@ process where host.os.type == "windows" and event.type == "start" and /* Third party FP's */ not process.args : "NVDisplay.ContainerLocalSystem" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 015261644dd..fe87cf395b3 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -130,6 +130,27 @@ registry where host.os.type == "windows" and event.type == "change" and ) and not registry.data.strings : "C:\\Windows\\SYSTEM32\\w32time.DLL" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index dc9761a2517..9892cc2a3f4 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,6 +85,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : ("net.exe", "net1.exe") and not process.parent.name : "net.exe") and (process.args : "user" and process.args : ("/ad", "/add")) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 96d9b8692fb..b0ccaa7a802 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ Application shimming is a Windows feature designed to ensure software compatibil - Review and restore any altered system configurations or registry settings to their default or secure state. - Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for `sdbinst.exe` executions across the network to detect and respond to future attempts at application shimming.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 426b95c70fa..94bb7871821 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -76,6 +76,27 @@ Background Intelligent Transfer Service (BITS) is a Windows service that facilit - Update and run a full antivirus and anti-malware scan on the affected system to ensure no additional threats are present. - Review and enhance endpoint protection policies to prevent unauthorized use of BITS for persistence, ensuring that only trusted applications can create or modify BITS jobs. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 293ceeb1f54..e4cb536f9bb 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,14 +23,6 @@ references = [ ] risk_score = 73 rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -98,6 +90,17 @@ The Windows Registry is a critical system database that stores configuration set - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and process execution. - Update and reinforce endpoint security configurations to prevent similar persistence techniques, such as enabling registry auditing and restricting access to critical registry paths.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 3c6f26520bd..f8ab5928472 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ Security Support Providers (SSPs) in Windows environments facilitate authenticat - Review and update access controls and permissions to ensure that only authorized personnel can modify critical registry paths related to Security Support Providers. - Monitor the affected system and network for any signs of re-infection or further suspicious activity, focusing on registry changes and process executions. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 84273532709..64f8d3cb4dc 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -94,6 +94,32 @@ The Microsoft Compatibility Appraiser, part of Windows telemetry, uses scheduled - Analyze the system for any unauthorized changes to user accounts or privileges, and revert any modifications to ensure that only legitimate users have access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the affected system and similar scheduled tasks across the network to detect any future attempts at hijacking or unauthorized modifications.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index d13d6375a2e..33107981d23 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -145,6 +145,27 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") and not process.name : ("MoUsoCoreWorker.exe", "OfficeC2RClient.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 43ae1cc412f..51ee3addba4 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through manual remediation. - Update and patch the system to the latest security standards to mitigate any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index df5ba00f618..9dfe0da5523 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -166,6 +166,14 @@ registry where host.os.type == "windows" and event.type == "change" and "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script" ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index dd9983e07a8..9ec7074696a 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -95,6 +95,32 @@ process where host.os.type == "windows" and event.type == "start" and process.pa (process.name : "bitsadmin.exe" or ?process.pe.original_file_name == "bitsadmin.exe") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 4178b2f6460..d8ba334e2f3 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -114,6 +114,32 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 799049a573b..13b65f2d13c 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -78,6 +78,27 @@ Werfault, the Windows Error Reporting service, can be manipulated by attackers t - Review and restore any system or application configurations that may have been altered by the attacker to their original state. - Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for registry changes in the specified paths to detect and respond to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml index ab8e8584da6..5a5568dbfd0 100644 --- a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml +++ b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -94,6 +94,14 @@ In Windows environments, tokens are used to represent user credentials and permi - Review recent file modifications and system logs to identify any additional indicators of compromise or unauthorized activities that may have occurred. - Restore any altered or corrupted system files from a known good backup to ensure system integrity and functionality. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or accounts have been compromised.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 430416e2605..81ead2c2618 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -106,6 +106,27 @@ registry where host.os.type == "windows" and event.type == "change" and ) and registry.data.strings : ("0", "0x00000000") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index 00b8597b887..e9b45a597e9 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -80,6 +80,17 @@ The DNS service in Windows environments is crucial for resolving domain names to - Review and update the system's security patches and configurations to address any vulnerabilities that may have been exploited, particularly those related to privilege escalation. - Monitor the system and network for any signs of continued or repeated unauthorized activity, focusing on similar indicators of compromise. - Report the incident to the appropriate internal security team or external authorities if required, providing details of the threat and actions taken for further investigation and response.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_driver_newterm_imphash.toml b/rules/windows/privilege_escalation_driver_newterm_imphash.toml index cec1e42a855..b641817723d 100644 --- a/rules/windows/privilege_escalation_driver_newterm_imphash.toml +++ b/rules/windows/privilege_escalation_driver_newterm_imphash.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -114,6 +114,14 @@ type = "new_terms" query = ''' event.category:"driver" and host.os.type:windows and event.action:"load" ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml index d96ccf10bfe..d01bb64dbb2 100644 --- a/rules/windows/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -71,6 +71,14 @@ In Windows environments, drivers facilitate communication between the OS and har - Apply the latest security patches and driver updates to close any vulnerabilities that may have been exploited. - Restore the system from a known good backup if any unauthorized changes or persistent threats are detected. - Escalate the incident to the security operations center (SOC) for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index 760a2e136ca..c472a7b9e69 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -79,6 +79,27 @@ CVE-2022-38028 targets the Windows Print Spooler service, a core component manag - Conduct a thorough review of user accounts and privileges on the affected system to identify and revoke any unauthorized privilege escalations. - Monitor the network and system logs for any signs of further exploitation attempts or related suspicious activities, using enhanced detection rules. - Report the incident to the appropriate internal security team or external authorities if required, providing detailed information about the exploitation attempt and actions taken.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 422f24a07d1..c1771b90440 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,27 @@ Group Policy Objects (GPOs) are crucial for centralized management in Windows en - Notify the security operations center (SOC) and escalate the incident to the incident response team for further investigation and to determine the scope of the compromise. - Implement additional monitoring on GPO paths and domain admin activities to detect any further unauthorized changes or suspicious behavior. - Review and strengthen access controls and auditing policies for GPO management to prevent unauthorized modifications in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 52bf1177ba3..d21347726f4 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -99,14 +99,6 @@ This rule detects the default execution of the PoC, which overwrites the `elevat references = ["https://github.com/klinix5/InstallerFileTakeOver"] risk_score = 73 rule_id = "58c6d58b-a0d3-412d-b3b8-0981a9400607" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -139,6 +131,14 @@ process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name == null ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 24dcc87b0fe..246cdb97f55 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -75,6 +75,22 @@ The Local Security Authority (LSA) in Windows manages authentication and securit - Review and reset credentials for any accounts that may have been compromised, focusing on those with elevated privileges. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for registry changes, particularly those involving LSA authentication packages, to detect and respond to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml index 962de6246e1..199a6d1541e 100644 --- a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml +++ b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender", "window maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -86,6 +86,27 @@ Windows Installer (MSI) is a service used for software installation and maintena - Restore the affected system from a known good backup if unauthorized changes or persistent threats are detected that cannot be easily remediated. - Monitor the network for any signs of similar exploitation attempts or related suspicious activities, using enhanced detection rules and threat intelligence feeds. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation and recovery efforts.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index b75be0c1682..33c75286bf1 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -133,6 +133,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : ("Cmd.Exe", "PowerShell.EXE") or ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE")) and process.args : "echo" and process.args : ">" and process.args : "\\\\.\\pipe\\*" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 6ae392c415a..c0b859f6289 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -68,14 +68,6 @@ references = [ ] risk_score = 73 rule_id = "bfeaf89b-a2a7-48a3-817f-e41829dc61ee" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -160,6 +152,17 @@ any where host.os.type == "windows" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 507d5cfaa98..1eb3173a5a4 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -79,6 +79,22 @@ Port monitors and print processors are integral to Windows printing, managing da - Review and reset credentials for any accounts that may have been compromised, especially those with elevated privileges, to prevent unauthorized access. - Implement application whitelisting to prevent unauthorized DLLs from executing, focusing on the paths identified in the alert. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected, ensuring comprehensive threat containment and eradication.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 410f3e64a76..de876262a6a 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -88,6 +88,17 @@ The Windows Print Spooler service manages print jobs and is integral to printing - Apply the latest security patches and updates from Microsoft to address CVE-2020-1030 and other known vulnerabilities in the Print Spooler service. - Monitor the network for any signs of similar exploitation attempts, focusing on the registry paths and data patterns specified in the detection rule. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 30d052601d3..4293b3a52fd 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,27 @@ The Print Spooler service in Windows manages print jobs, but vulnerabilities lik - Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized privilege escalation has occurred. - Monitor the network for any signs of similar exploitation attempts or related suspicious activity, using enhanced logging and alerting mechanisms. - Report the incident to the appropriate internal security team or external authorities if required, providing details of the exploit and actions taken for further investigation and response.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.filters]] [rule.filters.meta] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index a4d9dff6d29..47975a56de7 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,27 @@ The Print Spooler service in Windows manages print jobs and interactions with pr - Apply the latest security patches and updates to the Print Spooler service and related components to mitigate known vulnerabilities. - Monitor the affected system and network for any signs of further suspicious activity, focusing on similar file deletion patterns or privilege escalation attempts. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for broader organizational response measures.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index baf7f5ac53e..a89cb3e72ed 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -138,6 +138,22 @@ file where host.os.type == "windows" and event.type != "deletion" and "?:\\PROGRA~2\\*.exe", "?:\\Windows\\System32\\rundll32.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index 12a9f06a241..e37fd3b10cf 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -123,6 +123,17 @@ Windows services are crucial for system operations, often running with high priv - Review and audit user accounts and group memberships, particularly those with elevated privileges like Server Operators, to ensure no unauthorized changes have been made. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for future modifications to service ImagePath registry keys, focusing on deviations from standard paths to detect similar threats promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index fb4436a95de..ba1fc034880 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,27 @@ The Windir environment variable points to the Windows directory, crucial for sys - Reset passwords for any user accounts that may have been compromised, especially those with elevated privileges. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to alter critical environment variables or other suspicious activities.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index 1ab090ec688..6b261166806 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -118,6 +118,27 @@ process where host.os.type == "windows" and event.type == "start" and /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */ not user.id : "S-1-5-18" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index db3e02e1630..b9c3d4de054 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -79,6 +79,27 @@ User Account Control (UAC) is a security feature in Windows designed to prevent - Update and patch the operating system and all installed software to the latest versions to mitigate known vulnerabilities. - Implement application whitelisting to prevent unauthorized programs from executing, focusing on blocking non-standard paths for critical system executables. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 37eb6ce566f..752a1724407 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,27 @@ User Account Control (UAC) is a security feature in Windows designed to prevent - Update and patch the affected system to the latest security updates to mitigate known vulnerabilities that could be exploited for UAC bypass. - Implement application whitelisting to prevent unauthorized executables from running, particularly those in temporary directories. - Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 336f80f317d..1555780c934 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -77,6 +77,22 @@ The ICMLuaUtil Elevated COM Interface is a Windows component that facilitates Us - Update and patch the operating system and all installed software to mitigate any known vulnerabilities that could be exploited for UAC bypass. - Implement application whitelisting to prevent unauthorized applications from executing, focusing on blocking the execution of `dllhost.exe` with suspicious arguments. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index d7cc1793a86..e1ac00b88d0 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -97,6 +97,32 @@ User Account Control (UAC) is a security feature in Windows that helps prevent u - Update and patch the affected system to the latest security updates to mitigate any known vulnerabilities that could be exploited for UAC bypass. - Monitor the affected system and network for any signs of recurring unauthorized activity or similar UAC bypass attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index dc35aabe197..e77d48aafe1 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ The IFileOperation COM interface is a Windows component used for file operations - Apply any pending security patches and updates to the operating system and installed software to mitigate known vulnerabilities. - Monitor the network for any signs of similar activity or attempts to exploit the IFileOperation COM interface on other systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index f2c7c23ecd7..0befe65edd3 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -140,6 +140,32 @@ process where host.os.type == "windows" and event.type == "start" and "?\\Device\\HarddiskVolume?\\Windows\\Sys?????\\WerFault.exe" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 41c0ca0acb8..eaad6df1e89 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -132,6 +132,32 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.args : ("C:\\Windows \\system32\\*.exe", "C:\\Windows \\SysWOW64\\*.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 64b893efdb8..0e00c1cc8d5 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -123,6 +123,27 @@ process where host.os.type == "windows" and event.type == "start" and /* args of the Windows Firewall SnapIn */ process.parent.args == "WF.msc" and process.name != "WerFault.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index e833d27561b..2c93ad15657 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,27 @@ Unquoted service paths in Windows can be exploited by adversaries to escalate pr - Restore the affected system from a known good backup if malicious activity is confirmed and system integrity is compromised. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar suspicious activities across the network to detect and respond to future attempts promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index f5bc7027f9c..978efb104ef 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -160,6 +160,32 @@ process.parent.name != null and (process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe")) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 1818cfcba80..a74da2896e5 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -94,6 +94,17 @@ The Print Spooler service, integral to Windows environments, manages print jobs - Restore the system from a clean backup if any unauthorized changes or malicious activities are confirmed. - Monitor the system closely for any recurrence of similar suspicious activities, ensuring enhanced logging and alerting are in place for spoolsv.exe and its child processes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index d2e8805865a..87ed78c2cc4 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,27 @@ Service Host (svchost.exe) is a critical Windows process that hosts multiple ser - Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated through cleaning. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Implement enhanced monitoring and logging for svchost.exe and related processes to detect similar anomalies in the future, ensuring that alerts are configured to notify the appropriate personnel promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index c46205436f9..22a245081f3 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -131,6 +131,14 @@ Parent Process ID (PPID) spoofing is a technique where adversaries manipulate th - Restore the system from a known good backup if necessary, ensuring that all malicious artifacts are removed and system integrity is maintained. - Implement additional monitoring and logging on the affected system and network to detect any recurrence of similar activities. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index bcb02117785..5bee7725e4e 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -28,12 +28,6 @@ setup = """## Setup Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings: `condition equal "contains" and keyword equal "pipe"` - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" tags = [ diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml index 115e4a75c6e..a713396cbfd 100644 --- a/rules/windows/privilege_escalation_via_token_theft.toml +++ b/rules/windows/privilege_escalation_via_token_theft.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -135,6 +135,14 @@ In Windows environments, processes can be created with elevated tokens to perfor - Implement additional monitoring on the affected system and network to detect any further attempts at privilege escalation or token manipulation. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems. - Review and update endpoint protection and detection capabilities to ensure they are configured to detect similar threats in the future, leveraging the MITRE ATT&CK framework for guidance on Access Token Manipulation (T1134).""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 3720a8cc335..079682a7dd3 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "development" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -72,6 +72,14 @@ The Web Proxy Auto-Discovery Protocol (WPAD) helps devices on a network automati - Apply security patches and updates to the operating system and all software to mitigate known vulnerabilities that could be exploited by similar attacks. - Monitor network traffic for any further suspicious DNS queries or unusual outbound connections, particularly those involving the WPAD service, to detect any ongoing or new threats. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to ensure comprehensive remediation and recovery efforts.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] From 9daae7bd00930845b3d8eee7be2cdb70329c127e Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 24 Feb 2025 13:18:28 -0300 Subject: [PATCH 2/3] minor tweak per docs --- rules/windows/collection_email_powershell_exchange_mailbox.toml | 2 +- rules/windows/collection_winrar_encryption.toml | 2 +- rules/windows/command_and_control_certreq_postdata.toml | 2 +- rules/windows/command_and_control_dns_tunneling_nslookup.toml | 2 +- .../command_and_control_encrypted_channel_freesslcert.toml | 2 +- rules/windows/command_and_control_headless_browser.toml | 2 +- ...and_and_control_new_terms_commonly_abused_rat_execution.toml | 2 +- rules/windows/command_and_control_outlook_home_page.toml | 2 +- .../command_and_control_port_forwarding_added_registry.toml | 2 +- rules/windows/command_and_control_rdp_tunnel_plink.toml | 2 +- .../command_and_control_remote_file_copy_desktopimgdownldr.toml | 2 +- .../windows/command_and_control_remote_file_copy_mpcmdrun.toml | 2 +- rules/windows/command_and_control_remote_file_copy_scripts.toml | 2 +- rules/windows/command_and_control_screenconnect_childproc.toml | 2 +- .../command_and_control_teamviewer_remote_file_copy.toml | 2 +- rules/windows/command_and_control_tool_transfer_via_curl.toml | 2 +- rules/windows/command_and_control_tunnel_vscode.toml | 2 +- rules/windows/credential_access_cmdline_dump_tool.toml | 2 +- .../credential_access_copy_ntds_sam_volshadowcp_cmdline.toml | 2 +- rules/windows/credential_access_credential_dumping_msbuild.toml | 2 +- .../credential_access_domain_backup_dpapi_private_keys.toml | 2 +- rules/windows/credential_access_dump_registry_hives.toml | 2 +- rules/windows/credential_access_generic_localdumps.toml | 2 +- .../credential_access_iis_connectionstrings_dumping.toml | 2 +- .../credential_access_imageload_azureadconnectauthsvc.toml | 2 +- .../credential_access_kerberoasting_unusual_process.toml | 2 +- rules/windows/credential_access_kirbi_file.toml | 2 +- rules/windows/credential_access_lsass_memdump_file_created.toml | 2 +- rules/windows/credential_access_lsass_openprocess_api.toml | 2 +- .../windows/credential_access_mimikatz_memssp_default_logs.toml | 2 +- .../credential_access_mod_wdigest_security_provider.toml | 2 +- ..._access_persistence_network_logon_provider_modification.toml | 2 +- .../credential_access_relay_ntlm_auth_via_http_spoolss.toml | 2 +- rules/windows/credential_access_saved_creds_vaultcmd.toml | 2 +- rules/windows/credential_access_veeam_commands.toml | 2 +- rules/windows/credential_access_wbadmin_ntds.toml | 2 +- rules/windows/credential_access_wireless_creds_dumping.toml | 2 +- ...ion_adding_the_hidden_file_attribute_with_via_attribexe.toml | 2 +- rules/windows/defense_evasion_amsi_bypass_dllhijack.toml | 2 +- rules/windows/defense_evasion_amsienable_key_mod.toml | 2 +- .../defense_evasion_clearing_windows_console_history.toml | 2 +- rules/windows/defense_evasion_clearing_windows_event_logs.toml | 2 +- ..._evasion_code_signing_policy_modification_builtin_tools.toml | 2 +- ...fense_evasion_code_signing_policy_modification_registry.toml | 2 +- rules/windows/defense_evasion_create_mod_root_certificate.toml | 2 +- .../windows/defense_evasion_defender_disabled_via_registry.toml | 2 +- .../defense_evasion_defender_exclusion_via_powershell.toml | 2 +- .../defense_evasion_delete_volume_usn_journal_with_fsutil.toml | 2 +- rules/windows/defense_evasion_disable_nla.toml | 2 +- .../defense_evasion_disable_posh_scriptblocklogging.toml | 2 +- ...fense_evasion_disable_windows_firewall_rules_with_netsh.toml | 2 +- .../defense_evasion_disabling_windows_defender_powershell.toml | 2 +- rules/windows/defense_evasion_disabling_windows_logs.toml | 2 +- rules/windows/defense_evasion_dns_over_https_enabled.toml | 2 +- .../windows/defense_evasion_dotnet_compiler_parent_process.toml | 2 +- .../windows/defense_evasion_enable_inbound_rdp_with_netsh.toml | 2 +- .../defense_evasion_enable_network_discovery_with_netsh.toml | 2 +- ...defense_evasion_execution_control_panel_suspicious_args.toml | 2 +- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml | 2 +- ...defense_evasion_execution_msbuild_started_by_office_app.toml | 2 +- .../defense_evasion_execution_msbuild_started_by_script.toml | 2 +- ...nse_evasion_execution_msbuild_started_by_system_process.toml | 2 +- .../defense_evasion_execution_msbuild_started_renamed.toml | 2 +- ...efense_evasion_execution_msbuild_started_unusal_process.toml | 2 +- .../defense_evasion_execution_suspicious_explorer_winword.toml | 2 +- .../defense_evasion_execution_windefend_unusual_path.toml | 2 +- rules/windows/defense_evasion_file_creation_mult_extension.toml | 2 +- rules/windows/defense_evasion_from_unusual_directory.toml | 2 +- .../defense_evasion_hide_encoded_executable_registry.toml | 2 +- rules/windows/defense_evasion_iis_httplogging_disabled.toml | 2 +- rules/windows/defense_evasion_indirect_exec_forfiles.toml | 2 +- rules/windows/defense_evasion_installutil_beacon.toml | 2 +- rules/windows/defense_evasion_lolbas_win_cdb_utility.toml | 2 +- ...efense_evasion_masquerading_as_elastic_endpoint_process.toml | 2 +- rules/windows/defense_evasion_masquerading_renamed_autoit.toml | 2 +- ...ense_evasion_masquerading_suspicious_werfault_childproc.toml | 2 +- .../windows/defense_evasion_masquerading_trusted_directory.toml | 2 +- rules/windows/defense_evasion_masquerading_werfault.toml | 2 +- rules/windows/defense_evasion_microsoft_defender_tampering.toml | 2 +- .../defense_evasion_misc_lolbin_connecting_to_the_internet.toml | 2 +- rules/windows/defense_evasion_ms_office_suspicious_regmod.toml | 2 +- .../defense_evasion_msbuild_making_network_connections.toml | 2 +- rules/windows/defense_evasion_mshta_beacon.toml | 2 +- rules/windows/defense_evasion_msiexec_child_proc_netcon.toml | 2 +- rules/windows/defense_evasion_msxsl_network.toml | 2 +- .../defense_evasion_network_connection_from_windows_binary.toml | 2 +- .../defense_evasion_persistence_account_tokenfilterpolicy.toml | 2 +- .../defense_evasion_powershell_windows_firewall_disabled.toml | 2 +- rules/windows/defense_evasion_proxy_execution_via_msdt.toml | 2 +- .../defense_evasion_reg_disable_enableglobalqueryblocklist.toml | 2 +- rules/windows/defense_evasion_right_to_left_override.toml | 2 +- rules/windows/defense_evasion_root_dir_ads_creation.toml | 2 +- rules/windows/defense_evasion_rundll32_no_arguments.toml | 2 +- rules/windows/defense_evasion_sc_sdset.toml | 2 +- .../defense_evasion_scheduledjobs_at_protocol_enabled.toml | 2 +- rules/windows/defense_evasion_script_via_html_app.toml | 2 +- rules/windows/defense_evasion_sdelete_like_filename_rename.toml | 2 +- rules/windows/defense_evasion_sip_provider_mod.toml | 2 +- ...asion_solarwinds_backdoor_service_disabled_via_registry.toml | 2 +- rules/windows/defense_evasion_suspicious_certutil_commands.toml | 2 +- ...efense_evasion_suspicious_execution_from_mounted_device.toml | 2 +- .../defense_evasion_suspicious_managedcode_host_process.toml | 2 +- rules/windows/defense_evasion_suspicious_scrobj_load.toml | 2 +- .../windows/defense_evasion_suspicious_short_program_name.toml | 2 +- rules/windows/defense_evasion_suspicious_wmi_script.toml | 2 +- .../windows/defense_evasion_suspicious_zoom_child_process.toml | 2 +- ...nse_evasion_system_critical_proc_abnormal_file_activity.toml | 2 +- rules/windows/defense_evasion_unusual_ads_file_creation.toml | 2 +- rules/windows/defense_evasion_unusual_dir_ads.toml | 2 +- .../defense_evasion_unusual_network_connection_via_dllhost.toml | 2 +- ...defense_evasion_unusual_network_connection_via_rundll32.toml | 2 +- .../defense_evasion_unusual_process_network_connection.toml | 2 +- .../defense_evasion_unusual_system_vp_child_program.toml | 2 +- rules/windows/defense_evasion_via_filter_manager.toml | 2 +- .../windows/defense_evasion_workfolders_control_execution.toml | 2 +- rules/windows/defense_evasion_wsl_bash_exec.toml | 2 +- rules/windows/defense_evasion_wsl_child_process.toml | 2 +- rules/windows/defense_evasion_wsl_enabled_via_dism.toml | 2 +- rules/windows/defense_evasion_wsl_filesystem.toml | 2 +- rules/windows/defense_evasion_wsl_kalilinux.toml | 2 +- rules/windows/defense_evasion_wsl_registry_modification.toml | 2 +- rules/windows/discovery_adfind_command_activity.toml | 2 +- rules/windows/discovery_admin_recon.toml | 2 +- rules/windows/discovery_command_system_account.toml | 2 +- .../discovery_enumerating_domain_trusts_via_dsquery.toml | 2 +- .../windows/discovery_enumerating_domain_trusts_via_nltest.toml | 2 +- rules/windows/discovery_group_policy_object_discovery.toml | 2 +- rules/windows/discovery_peripheral_device.toml | 2 +- rules/windows/discovery_whoami_command_activity.toml | 2 +- .../execution_apt_solarwinds_backdoor_child_cmd_powershell.toml | 2 +- ...ecution_apt_solarwinds_backdoor_unusual_child_processes.toml | 2 +- rules/windows/execution_com_object_xwizard.toml | 2 +- .../execution_command_prompt_connecting_to_the_internet.toml | 2 +- rules/windows/execution_command_shell_started_by_svchost.toml | 2 +- .../execution_command_shell_started_by_unusual_process.toml | 2 +- rules/windows/execution_command_shell_via_rundll32.toml | 2 +- rules/windows/execution_enumeration_via_wmiprvse.toml | 2 +- rules/windows/execution_from_unusual_path_cmdline.toml | 2 +- ...html_help_executable_program_connecting_to_the_internet.toml | 2 +- rules/windows/execution_initial_access_foxmail_exploit.toml | 2 +- rules/windows/execution_initial_access_via_msc_file.toml | 2 +- rules/windows/execution_initial_access_wps_dll_exploit.toml | 2 +- rules/windows/execution_mofcomp.toml | 2 +- rules/windows/execution_pdf_written_file.toml | 2 +- rules/windows/execution_powershell_susp_args_via_winscript.toml | 2 +- rules/windows/execution_psexec_lateral_movement_command.toml | 2 +- ...tion_register_server_program_connecting_to_the_internet.toml | 2 +- rules/windows/execution_scheduled_task_powershell_source.toml | 2 +- rules/windows/execution_shared_modules_local_sxs_dll.toml | 2 +- rules/windows/execution_suspicious_cmd_wmi.toml | 2 +- .../windows/execution_suspicious_image_load_wmi_ms_office.toml | 2 +- rules/windows/execution_suspicious_pdf_reader.toml | 2 +- rules/windows/execution_suspicious_psexesvc.toml | 2 +- rules/windows/execution_via_compiled_html_file.toml | 2 +- rules/windows/execution_via_hidden_shell_conhost.toml | 2 +- rules/windows/execution_via_mmc_console_file_unusual_path.toml | 2 +- rules/windows/execution_windows_cmd_shell_susp_args.toml | 2 +- rules/windows/execution_windows_powershell_susp_args.toml | 2 +- rules/windows/exfiltration_smb_rare_destination.toml | 2 +- rules/windows/impact_backup_file_deletion.toml | 2 +- rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml | 2 +- rules/windows/impact_high_freq_file_renames_by_kernel.toml | 2 +- rules/windows/impact_modification_of_boot_config.toml | 2 +- rules/windows/impact_stop_process_service_threshold.toml | 2 +- ...act_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml | 2 +- .../impact_volume_shadow_copy_deletion_via_powershell.toml | 2 +- rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml | 2 +- rules/windows/initial_access_execution_from_inetcache.toml | 2 +- rules/windows/initial_access_execution_via_office_addins.toml | 2 +- .../initial_access_exfiltration_first_time_seen_usb.toml | 2 +- rules/windows/initial_access_exploit_jetbrains_teamcity.toml | 2 +- rules/windows/initial_access_rdp_file_mail_attachment.toml | 2 +- rules/windows/initial_access_script_executing_powershell.toml | 2 +- .../windows/initial_access_scripts_process_started_via_wmi.toml | 2 +- rules/windows/initial_access_suspicious_ms_exchange_files.toml | 2 +- .../windows/initial_access_suspicious_ms_exchange_process.toml | 2 +- ...tial_access_suspicious_ms_exchange_worker_child_process.toml | 2 +- .../initial_access_suspicious_ms_office_child_process.toml | 2 +- .../initial_access_suspicious_ms_outlook_child_process.toml | 2 +- ...nitial_access_via_explorer_suspicious_child_parent_args.toml | 2 +- rules/windows/initial_access_webshell_screenconnect_server.toml | 2 +- rules/windows/lateral_movement_cmd_service.toml | 2 +- rules/windows/lateral_movement_dcom_hta.toml | 2 +- rules/windows/lateral_movement_dcom_mmc20.toml | 2 +- .../lateral_movement_dcom_shellwindow_shellbrowserwindow.toml | 2 +- ...ent_defense_evasion_lanman_nullsessionpipe_modification.toml | 2 +- rules/windows/lateral_movement_evasion_rdp_shadowing.toml | 2 +- rules/windows/lateral_movement_execution_from_tsclient_mup.toml | 2 +- .../lateral_movement_incoming_winrm_shell_execution.toml | 2 +- rules/windows/lateral_movement_incoming_wmi.toml | 2 +- .../lateral_movement_mount_hidden_or_webdav_share_net.toml | 2 +- rules/windows/lateral_movement_powershell_remoting_target.toml | 2 +- rules/windows/lateral_movement_rdp_enabled_registry.toml | 2 +- .../windows/lateral_movement_remote_file_copy_hidden_share.toml | 2 +- rules/windows/lateral_movement_remote_services.toml | 2 +- rules/windows/lateral_movement_scheduled_task_target.toml | 2 +- .../lateral_movement_suspicious_rdp_client_imageload.toml | 2 +- .../windows/lateral_movement_unusual_dns_service_children.toml | 2 +- .../lateral_movement_unusual_dns_service_file_writes.toml | 2 +- rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml | 2 +- rules/windows/lateral_movement_via_wsus_update.toml | 2 +- rules/windows/persistence_adobe_hijack_persistence.toml | 2 +- rules/windows/persistence_app_compat_shim.toml | 2 +- rules/windows/persistence_appcertdlls_registry.toml | 2 +- rules/windows/persistence_appinitdlls_registry.toml | 2 +- rules/windows/persistence_browser_extension_install.toml | 2 +- .../persistence_evasion_hidden_local_account_creation.toml | 2 +- rules/windows/persistence_evasion_registry_ifeo_injection.toml | 2 +- ...sistence_evasion_registry_startup_shell_folder_modified.toml | 2 +- rules/windows/persistence_local_scheduled_job_creation.toml | 2 +- rules/windows/persistence_local_scheduled_task_creation.toml | 2 +- rules/windows/persistence_local_scheduled_task_scripting.toml | 2 +- rules/windows/persistence_ms_office_addins_file.toml | 2 +- rules/windows/persistence_ms_outlook_vba_template.toml | 2 +- rules/windows/persistence_msoffice_startup_registry.toml | 2 +- rules/windows/persistence_netsh_helper_dll.toml | 2 +- ...rsistence_powershell_exch_mailbox_activesync_add_device.toml | 2 +- rules/windows/persistence_powershell_profiles.toml | 2 +- .../persistence_priv_escalation_via_accessibility_features.toml | 2 +- rules/windows/persistence_registry_uncommon.toml | 2 +- .../windows/persistence_runtime_run_key_startup_susp_procs.toml | 2 +- rules/windows/persistence_services_registry.toml | 2 +- ...tence_startup_folder_file_written_by_suspicious_process.toml | 2 +- rules/windows/persistence_startup_folder_scripts.toml | 2 +- ...sistence_suspicious_image_load_scheduled_task_ms_office.toml | 2 +- .../persistence_suspicious_service_created_registry.toml | 2 +- rules/windows/persistence_sysmon_wmi_event_subscription.toml | 2 +- rules/windows/persistence_system_shells_via_services.toml | 2 +- rules/windows/persistence_time_provider_mod.toml | 2 +- rules/windows/persistence_user_account_creation.toml | 2 +- rules/windows/persistence_via_application_shimming.toml | 2 +- rules/windows/persistence_via_bits_job_notify_command.toml | 2 +- rules/windows/persistence_via_hidden_run_key_valuename.toml | 2 +- .../persistence_via_lsa_security_support_provider_registry.toml | 2 +- ...ersistence_via_telemetrycontroller_scheduledtask_hijack.toml | 2 +- .../persistence_via_update_orchestrator_service_hijack.toml | 2 +- ...a_windows_management_instrumentation_event_subscription.toml | 2 +- .../persistence_via_xp_cmdshell_mssql_stored_procedure.toml | 2 +- rules/windows/persistence_webshell_detection.toml | 2 +- rules/windows/persistence_werfault_reflectdebugger.toml | 2 +- rules/windows/privilege_escalation_disable_uac_registry.toml | 2 +- .../windows/privilege_escalation_dns_serverlevelplugindll.toml | 2 +- rules/windows/privilege_escalation_exploit_cve_202238028.toml | 2 +- .../privilege_escalation_gpo_schtask_service_creation.toml | 2 +- rules/windows/privilege_escalation_lsa_auth_package.toml | 2 +- .../privilege_escalation_msi_repair_via_mshelp_link.toml | 2 +- .../windows/privilege_escalation_named_pipe_impersonation.toml | 2 +- rules/windows/privilege_escalation_persistence_phantom_dll.toml | 2 +- .../privilege_escalation_port_monitor_print_pocessor_abuse.toml | 2 +- .../privilege_escalation_printspooler_registry_copyfiles.toml | 2 +- ...ivilege_escalation_printspooler_service_suspicious_file.toml | 2 +- ...vilege_escalation_printspooler_suspicious_file_deletion.toml | 2 +- .../privilege_escalation_printspooler_suspicious_spl_file.toml | 2 +- .../windows/privilege_escalation_reg_service_imagepath_mod.toml | 2 +- .../privilege_escalation_rogue_windir_environment_var.toml | 2 +- ...privilege_escalation_service_control_spawned_script_int.toml | 2 +- rules/windows/privilege_escalation_uac_bypass_com_clipup.toml | 2 +- rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml | 2 +- ...rivilege_escalation_uac_bypass_com_interface_icmluautil.toml | 2 +- .../privilege_escalation_uac_bypass_diskcleanup_hijack.toml | 2 +- .../privilege_escalation_uac_bypass_dll_sideloading.toml | 2 +- rules/windows/privilege_escalation_uac_bypass_event_viewer.toml | 2 +- rules/windows/privilege_escalation_uac_bypass_mock_windir.toml | 2 +- .../privilege_escalation_uac_bypass_winfw_mmc_hijack.toml | 2 +- rules/windows/privilege_escalation_unquoted_service_path.toml | 2 +- .../privilege_escalation_unusual_parentchild_relationship.toml | 2 +- .../privilege_escalation_unusual_printspooler_childprocess.toml | 2 +- ...rivilege_escalation_unusual_svchost_childproc_childless.toml | 2 +- 268 files changed, 268 insertions(+), 268 deletions(-) diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 160d98974cc..03bd5c386e1 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -108,7 +108,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index a06d82df9a8..d5225aa7271 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -111,7 +111,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index 42c16b8f6c6..15575dd927f 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -141,7 +141,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index da233fd0df6..af6407930f7 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -91,7 +91,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index c4b9ce107e0..15295d0b16f 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -87,7 +87,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index 48780cb0da8..41768001852 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -90,7 +90,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index 35a71da98c7..66e275b64a0 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -283,7 +283,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index a6549acd5fe..0f9c3aab2e9 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -91,7 +91,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 60d81860b10..8cb41a62fd0 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -94,7 +94,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 43e044ea2fb..0f5b6f7e93f 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -97,7 +97,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 2e6836fbeac..8823bc2126c 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -176,7 +176,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 88e3acc2829..97c14254ff3 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -174,7 +174,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 54a3b6e198c..3034b326170 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -125,7 +125,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index aa243f75308..a74601f3af9 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -111,7 +111,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 070804f5f3a..506dd4e85e2 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -128,7 +128,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index 83de06cbc71..6d2c4b283d6 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -97,7 +97,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml index 061e2dbc149..a26f24f538c 100644 --- a/rules/windows/command_and_control_tunnel_vscode.toml +++ b/rules/windows/command_and_control_tunnel_vscode.toml @@ -98,7 +98,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 5c07313332b..22521cdb9e2 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -125,7 +125,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 61103497076..2cc452871de 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -154,7 +154,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 561b9961f7c..308ad05d638 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -128,7 +128,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 7750a4913bd..d73bd58851c 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -43,7 +43,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 55b3e1a5df4..a1f371a20d7 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -101,7 +101,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index bc5babc0c86..a250f1ffe09 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -91,7 +91,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 67f18b40ae3..5979b84450d 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -101,7 +101,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml index 26d0d0eec76..3d244051195 100644 --- a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml +++ b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml @@ -94,7 +94,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index e1048ac4236..3a34841eb4f 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -172,7 +172,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index fbd84f3f3e4..71bcb911127 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -71,7 +71,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index a0372da7719..3f2f7b9520d 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -152,7 +152,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index b0dc8303f64..7cd5845344c 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -188,7 +188,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index c39626eda9b..8fe626d4fe0 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -84,7 +84,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 2c0ec8a4900..38d6883f69f 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -99,7 +99,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 696d06d117c..470dac851e1 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -149,7 +149,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 361a578e736..25d560ba2f7 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -106,7 +106,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index f384dd6c324..9e20b8ee3e4 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -100,7 +100,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index b460d7deebf..40785a638c0 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -100,7 +100,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml index 3151877f86e..dd17e09647b 100644 --- a/rules/windows/credential_access_wbadmin_ntds.toml +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -97,7 +97,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index c2270fdbc6c..c6b5275b460 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -129,7 +129,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 279c3ef8fdc..8948c0c0caf 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -139,7 +139,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 9b552c8a697..8569302457f 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -146,7 +146,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 27c06f7fec5..ce2d66070de 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -105,7 +105,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 01994825b49..f87cc1a73bb 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -104,7 +104,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 435bcea7789..2f6186e5d17 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -104,7 +104,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 27a1e69cdbd..b8737343222 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -127,7 +127,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index 6f81c93274c..632f7a917d4 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -118,7 +118,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 2a9e90444df..3cdc75869a3 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -133,7 +133,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 7dee6a256af..4f6d1d66409 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -106,7 +106,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 182e74af9e8..9aa0071c4b6 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -114,7 +114,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 0dab756a38b..0dbec8d63d1 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -92,7 +92,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index 4997d1560b5..f6cd2623279 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -89,7 +89,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index f4c63b944a0..22d421cd1c2 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -93,7 +93,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index e2eee1cd52e..168ac537803 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -93,7 +93,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 7ca33f994f8..ce4c341cd5f 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -104,7 +104,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index d8ad5d9292d..346e9c8b674 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -109,7 +109,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 46100f8cd88..891b9389c97 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -89,7 +89,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 5e587648f69..6dc3355eedf 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -96,7 +96,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 63dc4d13005..b06fd3649dc 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -97,7 +97,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index ebeaf2025c2..8c804f78a6f 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -92,7 +92,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index e64ea1df2b4..2dd86f6f878 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -106,7 +106,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 81043aceada..7a1107d6c9d 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -144,7 +144,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 0de4800c418..5b69f0f88f1 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -125,7 +125,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 5defa4755b1..0ed1fcfef2e 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -80,7 +80,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index d1f5b33f2c0..286403dc0dd 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -97,7 +97,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index de9c899b262..449a40fa5d3 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -123,7 +123,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 78645dc14fd..ed50810a2e7 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -91,7 +91,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index cdc05c675f4..7fbe9acde6c 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -89,7 +89,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index fe7ce995f75..0ccd35353f6 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -91,7 +91,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 7120abee2b8..505319ddedc 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -83,7 +83,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 44ce8beaf63..30611fd538f 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -181,7 +181,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 58c977192b3..33996491e6b 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -70,7 +70,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index ee70981193d..07867c7432f 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -96,7 +96,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_indirect_exec_forfiles.toml b/rules/windows/defense_evasion_indirect_exec_forfiles.toml index 2f3f696ec5c..57a8614aa72 100644 --- a/rules/windows/defense_evasion_indirect_exec_forfiles.toml +++ b/rules/windows/defense_evasion_indirect_exec_forfiles.toml @@ -85,7 +85,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 66ac0c9b101..52e1ffedcda 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -83,7 +83,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index 0511a7f840e..043ecd5e810 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -99,7 +99,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 3bb0f0ace25..5325ebf068d 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -114,7 +114,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 2553172d635..75d695f4799 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -120,7 +120,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index d37cb4b15f3..d90db864594 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -102,7 +102,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 55c159babcb..a436ef4dce0 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -119,7 +119,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index c8af94fb510..0ac54dd4f48 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -132,7 +132,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index ba882c5bba3..a0b70d7cac0 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -139,7 +139,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index d5e5006cce6..2251beaa4e7 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -135,7 +135,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 86b0295105f..bef4c65630a 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -114,7 +114,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### SentinelOne Cloud Funnel Setup diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 3fd6c5e9435..45345612e4d 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -155,7 +155,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 03ca574b24e..3d28b0d043c 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -86,7 +86,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml index 7420f188780..402a140db36 100644 --- a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml +++ b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml @@ -90,7 +90,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index ff001ba195e..1dfe40290de 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -86,7 +86,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index d78eafb6773..338cd4ac3a8 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -190,7 +190,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index eee27e1b167..09292c9c021 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -92,7 +92,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index c61709e5a7c..74cef4f8900 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -112,7 +112,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index bd702f6f51c..5ac8d4ee02d 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -94,7 +94,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index 41cb655a827..1af806e08b5 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -97,7 +97,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_right_to_left_override.toml b/rules/windows/defense_evasion_right_to_left_override.toml index 4a0a2cb652b..a68d20efc90 100644 --- a/rules/windows/defense_evasion_right_to_left_override.toml +++ b/rules/windows/defense_evasion_right_to_left_override.toml @@ -92,7 +92,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_root_dir_ads_creation.toml b/rules/windows/defense_evasion_root_dir_ads_creation.toml index 84e8a94e383..2c102ae46e8 100644 --- a/rules/windows/defense_evasion_root_dir_ads_creation.toml +++ b/rules/windows/defense_evasion_root_dir_ads_creation.toml @@ -93,7 +93,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 160a50f880a..9a998415f89 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -128,7 +128,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_sc_sdset.toml b/rules/windows/defense_evasion_sc_sdset.toml index 7010e7d3434..0f8326f75d1 100644 --- a/rules/windows/defense_evasion_sc_sdset.toml +++ b/rules/windows/defense_evasion_sc_sdset.toml @@ -91,7 +91,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 39cac1d64bb..c05dd6bf212 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -87,7 +87,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml index dbfcbcbd4f9..5ad7c442959 100644 --- a/rules/windows/defense_evasion_script_via_html_app.toml +++ b/rules/windows/defense_evasion_script_via_html_app.toml @@ -119,7 +119,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### SentinelOne Cloud Funnel Setup diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index e5992a94907..8e68a9fd428 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -78,7 +78,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 289104c3bc0..4af35a3fcad 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -90,7 +90,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index a142f7dc585..a3496cce19c 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -99,7 +99,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 81f940524cc..fd7869206f2 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -146,7 +146,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 50dbbb01388..5ef8f6517af 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -84,7 +84,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 734be00cfa1..b250a6d54b5 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -93,7 +93,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 23f2ccd8d87..09f070d4b76 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -97,7 +97,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index e42f0b73ce1..b943ca2a7cf 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -119,7 +119,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index e1634288d5a..c0795eaff24 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -86,7 +86,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 295e2223337..d49dcd24163 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -137,7 +137,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 61260d34c7c..63c65d9e21a 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -132,7 +132,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 7569d464f86..0db516cb4d9 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -167,7 +167,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 2d230bd4e1c..be18146dc77 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -83,7 +83,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index a4cbeba99ff..21d9a553a45 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -89,7 +89,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 1ad10b727d4..078baabc429 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -88,7 +88,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index ea770d0f246..03140f59319 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -96,7 +96,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 1424efdb2a3..037eb93e474 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -90,7 +90,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index beb92221eda..a88a06d19ec 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -143,7 +143,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index fbc2a8e3975..8858828a3d5 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -98,7 +98,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### SentinelOne Cloud Funnel Setup diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 9e89a64d6a3..3146f857537 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -108,7 +108,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index ff04426a817..0967f8815e2 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -116,7 +116,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index 74176429e50..56bd5fa1450 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -97,7 +97,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index fb0314892d6..2e15bde193e 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -86,7 +86,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 15d84637450..4ea22c290cc 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -104,7 +104,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index 4222b2250fc..6b246b4abcc 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -93,7 +93,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 23ba1a8f22c..9a2f630e44e 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -110,7 +110,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index fc792c4efa7..097fd32d0a5 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -100,7 +100,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 17ac9925a1a..12e5d4a9201 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -78,7 +78,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index 8f757df9eac..f41c375ce32 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -99,7 +99,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index ed9eac30f79..ef669c65038 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -104,7 +104,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index 3575d25093a..70b0278e5ef 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -93,7 +93,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index c34ce157214..0b29888c6c2 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -89,7 +89,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 4af1d60a120..fe0194a6bf1 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -115,7 +115,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 946692186cf..4537953e923 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -106,7 +106,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 77cdb3576b3..32be4d65e6f 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -100,7 +100,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index f668fc85f63..819a1dbcec2 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -109,7 +109,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index fa795ac16a8..017c8b89cd6 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -142,7 +142,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index b832b0eab80..5693c74ddec 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -134,7 +134,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index a44d497e441..571e99bbdcb 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -93,7 +93,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 8cc4f4bdf44..85c8895df78 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -85,7 +85,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 9e6c5942dec..78cb3e6c01c 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -105,7 +105,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 5a54d34d2f1..cd2d5a51863 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -241,7 +241,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 27b7387606c..5d16e438106 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -141,7 +141,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index 5e7e789985d..cad8804dcaf 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -97,7 +97,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 02c20f808be..005dc3118c6 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -73,7 +73,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_initial_access_wps_dll_exploit.toml b/rules/windows/execution_initial_access_wps_dll_exploit.toml index 45921a558fb..64b2562208d 100644 --- a/rules/windows/execution_initial_access_wps_dll_exploit.toml +++ b/rules/windows/execution_initial_access_wps_dll_exploit.toml @@ -91,7 +91,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index 052ebb34bad..18e01ab272f 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -93,7 +93,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 64d30bcf99f..f6b302b8f4a 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -107,7 +107,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index 1744a676ae4..6ffc0e5009d 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -85,7 +85,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### SentinelOne Cloud Funnel Setup diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index e5d2e67ad59..92db686b115 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -95,7 +95,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 7a7d70b4fc9..d5997e8af46 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -144,7 +144,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 5fd7cc25adc..ef15207a340 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -85,7 +85,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 80c2a5ecd0b..351c83651d6 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -51,7 +51,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index d32abfbd24b..f5f32ede663 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -99,7 +99,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 26a1789065d..df9d1acdce9 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -82,7 +82,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index eacb179f16d..f24e72ade1e 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -119,7 +119,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index cf4e279da59..19d51845f37 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -76,7 +76,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index aa38a4b2179..1e2ed1eda28 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -151,7 +151,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 3b6b5211104..35ecdfdec05 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -105,7 +105,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index bd46d8955e1..0a23928f2f3 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -104,7 +104,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index f65b1a77691..9b61c068350 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -146,7 +146,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### SentinelOne Cloud Funnel Setup diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index fe463dd5b0d..e9d04a88894 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -149,7 +149,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### SentinelOne Cloud Funnel Setup diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 558fb6b673f..11ef6b694f6 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -122,7 +122,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 84750c5ccee..fc23b943684 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -112,7 +112,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 4eac8739945..914c697d345 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -99,7 +99,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index 26c3d7f8e19..f40e43ec810 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -90,7 +90,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 07120ad6d5d..919843cd528 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -102,7 +102,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 99703760cfc..765e69ed7f9 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -83,7 +83,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index d1af127ed94..f0da58db31c 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -117,7 +117,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 487aed05f1e..cc58d18ae47 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -124,7 +124,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index e9aa21a3983..c95dc017cff 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -118,7 +118,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index 806fe036d82..b1d5c0bd0df 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -105,7 +105,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index f04cdc121e6..f29835b5ebd 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -123,7 +123,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index bced969de58..640a51593be 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -91,7 +91,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 7c0e58a8348..1062ed8d7c8 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -115,7 +115,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml index c6d9ba08a2a..8bb489b5064 100644 --- a/rules/windows/initial_access_rdp_file_mail_attachment.toml +++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml @@ -102,7 +102,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index a690dcd7d8e..6ee11eeac3d 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -103,7 +103,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index cbec1c3f280..3c1021f9dcd 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -109,7 +109,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 64036250033..88e9c8162e2 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -83,7 +83,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 71f069ac1c9..1c998cb3667 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -126,7 +126,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index fd4708c949e..a3310cb8a99 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -90,7 +90,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 63d15390d58..66fe335a8fe 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -129,7 +129,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 7e8e5f648f6..f1a0a39c823 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -116,7 +116,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 8d003a851fc..2bdd30a7fec 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -94,7 +94,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index d0e9d54be6e..2a4665c2546 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -98,7 +98,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 7d234617e67..299e0f8f389 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -83,7 +83,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index f69d8ee24de..02276c6a173 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -88,7 +88,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index d557541e7e9..7114972f5ce 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -87,7 +87,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 5a239d5c2ed..360ced6a66d 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -88,7 +88,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index d1fd9ca7458..5a5e539c019 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -90,7 +90,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index d5b01958795..793a71c3227 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -108,7 +108,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index a2c6cf618a8..476c4d20d94 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -97,7 +97,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 46eed2da92b..db56d1164c9 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -89,7 +89,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 6c7cfabd1a2..380b61b69b0 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -100,7 +100,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index b443b2ad0e7..6f60450e9a3 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -100,7 +100,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index f91f743f1cf..78d2a460beb 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -93,7 +93,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index b8b4737422d..7097c357f21 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -94,7 +94,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 52bdae8cb9b..d6851a01dd6 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -99,7 +99,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 0e96c1beaf6..05956aaa23c 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -164,7 +164,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index cd45f0bdeb5..83f99a2461d 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -78,7 +78,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 2ba17b8b36f..bedd5b70443 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -100,7 +100,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index e096bd5aa1c..72355da7b99 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -109,7 +109,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index 5998a02e2b7..3393113ab51 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -59,7 +59,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index fc0475f46c1..622e3d932fb 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -89,7 +89,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 2253ca08856..10808148488 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -98,7 +98,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index d17e66e0e00..25bb07ffcd3 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -110,7 +110,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 6aeaa94c447..779de232e32 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -91,7 +91,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index cf792a4b446..6b81ea62112 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -74,7 +74,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index b77dc227c9a..036ec505ef6 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -142,7 +142,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index f145322230c..b19b84c7951 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -103,7 +103,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index a985a39ed75..f367818c630 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -82,7 +82,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index e49b7c3322b..5317a793a5b 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -100,7 +100,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index eedb3d3942f..5ea8a79e8f5 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -155,7 +155,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index e46b48d1108..477636d58db 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -83,7 +83,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 2c71ea83e8b..1989806841b 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -94,7 +94,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index d76a96d59ee..e245a61602b 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -60,7 +60,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 650f6eb7ff8..88a6ec351ae 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -85,7 +85,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 1e85b7b4336..c48f5720abb 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -84,7 +84,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index 60bd0fc0f33..a8596f9ad1c 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -84,7 +84,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index 2496da18793..d2af1034f39 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -84,7 +84,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 8b8ea3adeba..43132f0e122 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -100,7 +100,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 72b1b35fa2a..3e352cdb884 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -134,7 +134,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index f029a927694..ef32ea0a98b 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -154,7 +154,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 4fc958fd877..9df36e2118b 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -156,7 +156,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index b53b2c164ca..841b93aa518 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -92,7 +92,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index e318d0eaa24..cd3b0bd1b5b 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -108,7 +108,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 0758146e4bb..fe53157cade 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -152,7 +152,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index ce208aa7b68..3e89c8b6613 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -143,7 +143,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index e399e4b3c28..51c08d5340e 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -142,7 +142,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 6f2ffea80c4..3e68e830256 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -88,7 +88,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index a79be508608..c74643a13d1 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -85,7 +85,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 35ffaf78fd5..758c2c36ce3 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -125,7 +125,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index fe87cf395b3..5832d8a3dee 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -137,7 +137,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 9892cc2a3f4..cfed86de6ee 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -93,7 +93,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index b0ccaa7a802..57a4c12acf3 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -97,7 +97,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 94bb7871821..d44c3f86543 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -83,7 +83,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index e4cb536f9bb..5a9e00b4f6c 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -95,7 +95,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index f8ab5928472..9682fa9b246 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -90,7 +90,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 64f8d3cb4dc..90f3537b0cc 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -102,7 +102,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 33107981d23..eb850d01e23 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -152,7 +152,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 51ee3addba4..796703a42c8 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -97,7 +97,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index 9ec7074696a..ff270ec4518 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -103,7 +103,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index d8ba334e2f3..14c38d2ad2d 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -122,7 +122,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 13b65f2d13c..0a8b0628184 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -85,7 +85,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 81ead2c2618..fd5bfc857e1 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -113,7 +113,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index e9b45a597e9..436771b4e2e 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -85,7 +85,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index c472a7b9e69..5dd4f5b8281 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -86,7 +86,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index c1771b90440..96cf91e670a 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -88,7 +88,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 246cdb97f55..e8a6ac6f09b 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -81,7 +81,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml index 199a6d1541e..8da88901d78 100644 --- a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml +++ b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml @@ -93,7 +93,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 33c75286bf1..a639207bb64 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -141,7 +141,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index c0b859f6289..41d6333759f 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -157,7 +157,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 1eb3173a5a4..aaef8aab417 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -85,7 +85,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index de876262a6a..b556bbb0429 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -93,7 +93,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 4293b3a52fd..da679ae6a23 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -93,7 +93,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 47975a56de7..6dfc2572a5c 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -89,7 +89,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index a89cb3e72ed..31fab27e822 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -144,7 +144,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index e37fd3b10cf..bf6076f9b99 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -128,7 +128,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index ba1fc034880..845b662b174 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -96,7 +96,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index 6b261166806..af56c805088 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -125,7 +125,7 @@ This rule requires data from one of the following integrations: - M365 Defender - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index b9c3d4de054..40206e87956 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -86,7 +86,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 752a1724407..a1009963f9c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -89,7 +89,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 1555780c934..4e7d4bd66e4 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -83,7 +83,7 @@ This rule requires data from one of the following integrations: - Elastic Defend - M365 Defender -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index e1ac00b88d0..a4aa13a8011 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -105,7 +105,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index e77d48aafe1..180f2315f82 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -90,7 +90,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 0befe65edd3..14f7e2fc296 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -148,7 +148,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index eaad6df1e89..a8f188ff7b9 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -140,7 +140,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 0e00c1cc8d5..c586e1ddade 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -130,7 +130,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index 2c93ad15657..90f91cb4aa4 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -93,7 +93,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 978efb104ef..cd132dc01d3 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -168,7 +168,7 @@ This rule requires data from one of the following integrations: - SentinelOne Cloud Funnel - CrowdStrike -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index a74da2896e5..82fc9d5d737 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -99,7 +99,7 @@ setup = """## Setup This rule requires data from one of the following integrations: - Elastic Defend -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 87ed78c2cc4..bef306dbde7 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -108,7 +108,7 @@ This rule requires data from one of the following integrations: - M365 Defender - SentinelOne Cloud Funnel -Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. ### Elastic Defend Setup From d651c8c98a91dd5ea76ea8f3b03c7039057a531b Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 14 Mar 2025 23:58:40 -0400 Subject: [PATCH 3/3] disabling tj-actions --- .github/workflows/kibana-mitre-update.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/kibana-mitre-update.yml b/.github/workflows/kibana-mitre-update.yml index 5d7b7fe64ca..7a6e165b70b 100644 --- a/.github/workflows/kibana-mitre-update.yml +++ b/.github/workflows/kibana-mitre-update.yml @@ -15,6 +15,7 @@ jobs: uses: actions/checkout@v4 - name: Get MITRE Attack changed files + if: false id: changed-attack-files uses: tj-actions/changed-files@v44 with: