w0rk3r
commented
5 days ago Update
I'm working on this one and will probably submit a PR for it today or tomorrow. But wanted to clarify a few points to align expectations:
The following are missing logs-system.security but have winlogbeat- meaning they have the correct data to work. This will allow us to enable these rules as it's still not possible to customise the pre-built elastic security rules. The high priority part of this FR is adding logs-system.security* where applicable.
Last time, we evaluated all rules in the Windows folder, and all the compatible ones had the index added at https://github.com/elastic/detection-rules/pull/3501. This means that the ones left from that folder use fields that are not compatible with the system security data source, and the fact that they have the winlogbeat index is for compatibility with Sysmon, and not security logs.
But the last review didn't include our building block rules, and this is what I'm going to solve in my next PR.
A few examples of rules listed there that aren't building block rules and use unsupported fields:
- Command Shell Activity Started via RunDLL32
Uses process.parent.args, which is not provided by security logs.
- Execution of Persistent Suspicious Program
Uses process.pe.original_file_name, which is not provided by security logs.
- Encrypting Files with WinRar or 7z
Uses process.code_signature.subject_name & process.pe.original_file_name, which is not provided by security logs.
- Microsoft Build Engine Started by a Script Process
Uses process.name.caseless OR process.pe.original_file_name, which is not provided by security logs.
- Microsoft Exchange Worker Spawning Suspicious Processes
Uses process.parent.args, which is not provided by security logs.
- Persistence via BITS Job Notify Cmdline
Uses process.parent.args, which is not provided by security logs.
etc..
Hi,
Good to see logs-system.security* has been added to more security rules.
The following are missing logs-system.security but have winlogbeat- meaning they have the correct data to work. This will allow us to enable these rules as it's still not possible to customise the pre-built elastic security rules. The high priority part of this FR is adding logs-system.security* where applicable.
Accessing Outlook Data Files Attempted Private Key Access Binary Content Copy via Cmd.exe Command Shell Activity Started via RunDLL32 Encrypting Files with WinRar or 7z Execution of Persistent Suspicious Program Microsoft Build Engine Started by a Script Process Microsoft Exchange Worker Spawning Suspicious Processes Persistence via BITS Job Notify Cmdline Persistence via Update Orchestrator Service Hijack Potential Cookies Theft via Browser Debugging Potential Modification of Accessibility Binaries Process Activity via Compiled HTML File Remote System Discovery Commands Suspicious Execution from a Mounted Device Suspicious Execution via Microsoft Office Add-Ins Suspicious Execution via Scheduled Task Suspicious Explorer Child Process Suspicious WerFault Child Process System Information Discovery via Windows Command Shell System Service Discovery through built-in Windows Utilities UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface UAC Bypass via Windows Firewall Snap-In Hijack Unusual Child Process of dns.exe Unusual Parent Process for cmd.exe Unusual Service Host Child Process - Childless Service Windows Firewall Disabled via PowerShell Windows Network Enumeration Windows Script Executing PowerShell Windows System Information Discovery
The following rules are missing logs-system.security and winlogbeat-* but will work.
Discovery of Internet Capabilities via Built-in Tools Elastic Agent Service Terminated Execution via Microsoft DotNet ClickOnce Host File and Directory Permissions Modification File or Directory Deletion Command Mofcomp Activity Potential Defense Evasion via CMSTP.exe Potential Exploitation of an Unquoted Service Path Vulnerability Service Path Modification via sc.exe Suspicious Execution via MSIEXEC Windows Account or Group Discovery Windows System Network Connections Discovery WMIC Remote Command Account Discovery Command via SYSTEM Account
The following rules will work if process.name.caseless is added to the Fleet managed mappings.
Discovery of Internet Capabilities via Built-in Tools Microsoft Build Engine Started by a Script Process Query Registry using Built-in Tools
These rules should be tagged with sysmon or powershell so it's easier to exclude them.
Command Prompt Network Connection Connection to Commonly Abused Free SSL Certificate Providers Creation or Modification of a new GPO Scheduled Task or Service DNS-over-HTTPS Enabled via Registry First Time Seen Commonly Abused Remote Access Tool Execution Incoming DCOM Lateral Movement with MMC Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows Incoming Execution via PowerShell Remoting Incoming Execution via WinRM Remote Shell InstallUtil Process Making Network Connections Kerberos Traffic from Unusual Process Mshta Making Network Connections