[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 3 (#4222)

Removed changes from: - rules/windows/defense_evasion_masquerading_trusted_directory.toml - rules/windows/defense_evasion_wsl_child_process.toml - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml - rules/windows/execution_enumeration_via_wmiprvse.toml - rules/windows/execution_initial_access_foxmail_exploit.toml - rules/windows/execution_suspicious_cmd_wmi.toml - rules/windows/execution_suspicious_pdf_reader.toml - rules/windows/execution_via_compiled_html_file.toml - rules/windows/execution_via_mmc_console_file_unusual_path.toml (selectively cherry picked from commit 2b6116e)
elastic · Nov 4, 2024 · a6370ab · a6370ab
1 parent a502d28
commit a6370ab
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/08/23"
-integration = ["endpoint", "m365_defender", "system"]
+integration = ["endpoint", "m365_defender", "system", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/10"
+updated_date = "2024/10/31"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ files to build their own namespaces and classes into the Windows Management Inst
 establish persistence using WMI Event Subscription.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*"]
+index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*", "logs-crowdstrike.fdr*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Mofcomp Activity"
@@ -28,6 +28,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Elastic Endgame",
     "Data Source: System",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"