diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index a3670ab3a2d..a7cbde751cb 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 0d9465fd3bb..1ee34652fd4 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 50425a74099..1d8002cf06f 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -79,7 +79,8 @@ def validator(value): 'sentinel_one_cloud_funnel', 'ti_rapid7_threat_command', 'm365_defender', - 'panw'] + 'panw', + 'crowdstrike'] NON_PUBLIC_FIELDS = { "related_integrations": (Version.parse('8.3.0'), None), "required_fields": (Version.parse('8.3.0'), None), diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index bdb0396e4a4..7dc24bab60c 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/15" -integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2024/10/31" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -74,14 +75,6 @@ references = [ ] risk_score = 47 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -95,6 +88,7 @@ tags = [ "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index 11f5a6aecf0..9b3c1209638 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/05/10" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -67,6 +68,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index c154da4f8f8..907df3814ca 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/10/14" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/17" +updated_date = "2024/10/31" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T enable routing of network packets that would otherwise not reach their intended destination. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Tunneling Detected" @@ -54,14 +54,6 @@ This rule looks for command lines involving the `3389` port, which RDP uses by d references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"] risk_score = 73 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -75,6 +67,7 @@ tags = [ "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 87d945ecdae..890ac2e7d0f 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2024/03/27" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/17" +updated_date = "2024/10/31" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies suspicious processes being spawned by the ScreenConnect client proces abusing unauthorized access to the ScreenConnect remote access software. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Suspicious ScreenConnect Client Child Process" @@ -33,6 +33,7 @@ tags = [ "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml index 37a1790ca16..d40001f8bc6 100644 --- a/rules/windows/command_and_control_tunnel_vscode.toml +++ b/rules/windows/command_and_control_tunnel_vscode.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2024/09/09" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/17" +updated_date = "2024/10/31" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Detects the execution of the VScode portable binary with the tunnel command line attempt to establish a remote tunnel session to Github or a remote VScode instance. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Attempt to Establish VScode Remote Tunnel" @@ -35,6 +35,7 @@ tags = [ "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 279676fec23..0b1bf4ff115 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/13" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2024/10/31" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the creation or modification of Domain Backup private keys. Adversari (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Domain Backup DPAPI private key" @@ -27,16 +27,8 @@ references = [ ] risk_score = 73 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index 01de955ce9f..15cc4ea836a 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/08/23" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2024/10/31" [rule] author = ["Elastic"] @@ -14,14 +14,14 @@ Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as P attacker to impersonate users using Kerberos tickets. """ from = "now-9m" -index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "winlogbeat-*", "endgame-*"] +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "winlogbeat-*", "endgame-*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Kirbi File Creation" risk_score = 73 rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 67fd6cac5c5..90adf75f13c 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2022/04/30" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -46,6 +47,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 65a436ee027..0e186209739 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -71,6 +72,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index e826a191ae8..f0b273d90e7 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/08/21" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,20 +22,13 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" name = "Suspicious .NET Code Compilation" risk_score = 47 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -49,6 +42,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index a74b595f5a0..9bef889a834 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -353,7 +353,8 @@ def test_required_tags(self): 'logs-windows.powershell*': {'all': ['Data Source: PowerShell Logs']}, 'logs-sentinel_one_cloud_funnel.*': {'all': ['Data Source: SentinelOne']}, 'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']}, - 'logs-m365_defender.event-*': {'all': ['Data Source: Microsoft Defender for Endpoint']} + 'logs-m365_defender.event-*': {'all': ['Data Source: Microsoft Defender for Endpoint']}, + 'logs-crowdstrike.fdr*': {'all': ['Data Source: Crowdstrike']} } for rule in self.all_rules: