diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 94dabf82aec..6001f222e95 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 1cd8f9294bd..46ba523bd76 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 481da84d70c..67cba8e1c68 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -41,7 +41,8 @@ 'system', 'windows', 'sentinel_one_cloud_funnel', - 'ti_rapid7_threat_command'] + 'ti_rapid7_threat_command', + 'm365_defender'] NON_PUBLIC_FIELDS = { "related_integrations": (Version.parse('8.3.0'), None), "required_fields": (Version.parse('8.3.0'), None), diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index 7a3135c6e28..195ea51492b 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/03/02" -integration = ["endpoint"] +integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -34,7 +34,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n" from = "now-9m" -index = ["logs-endpoint.events.api-*"] +index = ["logs-endpoint.events.api-*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "LSASS Process Access via Windows API" @@ -112,6 +112,7 @@ tags = [ "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" @@ -119,9 +120,7 @@ type = "eql" query = ''' api where host.os.type == "windows" and process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and - not - ( - process.executable : ( + not process.executable : ( "?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe", "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", "?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe", @@ -158,7 +157,6 @@ api where host.os.type == "windows" and "?:\\Windows\\System32\\RtkAudUService64.exe", "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe" - ) and process.code_signature.trusted == true ) ''' diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index e93afa811f8..116a0f69944 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/01/19" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ when the name or location of a file is manipulated as a means of tricking a user benign file type but is actually executable code. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Executable File Creation with Multiple Extensions" @@ -35,6 +35,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" @@ -43,8 +44,7 @@ query = ''' file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and - file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and - not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl") + file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") ''' diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 53359cc1b12..584d337ab42 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" @@ -40,6 +41,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 4369e04cdf3..13d80ec7f19 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -43,6 +43,7 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" @@ -110,6 +111,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 0df4a75f2b6..d70f49a5412 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "system", "windows"] +integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Whoami Process Activity" @@ -72,6 +72,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 60d4797b805..7a6bf1ec0ad 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/03/24" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" @@ -41,6 +42,7 @@ tags = [ "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index d0c4a672662..801b6587329 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/17" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -43,6 +43,7 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" @@ -121,6 +122,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index e438ea28dd8..67e86481998 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -311,7 +311,8 @@ def test_required_tags(self): 'logs-windows.sysmon_operational-*': {'all': ['Data Source: Sysmon']}, 'logs-windows.powershell*': {'all': ['Data Source: PowerShell Logs']}, 'logs-sentinel_one_cloud_funnel.*': {'all': ['Data Source: SentinelOne']}, - 'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']} + 'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']}, + 'logs-m365_defender.event-*': {'all': ['Data Source: Microsoft Defender for Endpoint']} } for rule in self.all_rules: