[Rule Tuning] Further Tight up Elastic Defend Index Patterns (#3584)

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

rules/windows/command_and_control_iexplore_via_com.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ network connections and bypass host-based firewall restrictions.
 """
 false_positives = ["Processes such as MS Office using IEproxy to render HTML content."]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.library-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Command and Control via Internet Explorer"

rules/windows/command_and_control_remote_file_copy_powershell.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/30"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2023/12/07"
+updated_date = "2024/04/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -67,7 +67,7 @@ providers = [
 author = ["Elastic"]
 description = "Identifies powershell.exe being used to download an executable file from an untrusted remote destination."
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.network-*", "logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via PowerShell"

rules/windows/command_and_control_remote_file_copy_scripts.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/29"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -39,7 +39,7 @@ Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) bei
 from a remote destination.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via Script Interpreter"

rules/windows/credential_access_credential_dumping_msbuild.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/03/25"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -40,7 +40,7 @@ credential management. This technique is sometimes used for credential dumping.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Credential Access via Trusted Developer Utility"

rules/windows/defense_evasion_installutil_beacon.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies InstallUtil.exe making outbound network connections. This may indicat
 often leveraged by adversaries to execute code and evade detection.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "InstallUtil Process Making Network Connections"

rules/windows/defense_evasion_masquerading_werfault.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [transform]
 [[transform.osquery]]
@@ -41,7 +41,7 @@ masquerading attempt to evade suspicious child process behavior detections.
 """
 false_positives = ["Legit Application Crash with rare Werfault commandline value"]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Windows Error Manager Masquerading"

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ validation. Adversaries may use these binaries to 'live off the land' and execut
 application allowlists and signature validation.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network Connection via Signed Binary"

rules/windows/defense_evasion_msbuild_making_network_connections.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [transform]
 [[transform.osquery]]
@@ -38,7 +38,7 @@ Identifies MsBuild.exe making outbound network connections. This may indicate ad
 leveraged by adversaries to execute code and evade detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "MsBuild Making Network Connections"

rules/windows/defense_evasion_mshta_beacon.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies Mshta.exe making outbound network connections. This may indicate adve
 leveraged by adversaries to execute malicious scripts and evade detection.
 """
 from = "now-20m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Mshta Making Network Connections"

rules/windows/defense_evasion_msxsl_network.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies msxsl.exe making a network connection. This may indicate adversarial
 by adversaries to execute malicious scripts and evade detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network Connection via MsXsl"

rules/windows/defense_evasion_network_connection_from_windows_binary.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ Identifies network activity from unexpected system applications. This may indica
 applications are often leveraged by adversaries to execute code and evade detection.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Network Activity from a Windows System Binary"

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/26"
+updated_date = "2024/04/08"
 
 [transform]
 [[transform.osquery]]
@@ -40,7 +40,7 @@ of these files can occur during an intrusion, or as part of a post-intrusion pro
 footprint.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Process Termination followed by Deletion"

rules/windows/defense_evasion_suspicious_wmi_script.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies WMIC allowlist bypass techniques by alerting on suspicious execution
 libraries it may be indicative of an allowlist bypass.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious WMIC XSL Script Execution"

rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies unusual instances of dllhost.exe making outbound network connections.
 and Control activity.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Network Connection via DllHost"

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies unusual instances of rundll32.exe making outbound network connections
 and Control activity.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Network Connection via RunDLL32"

rules/windows/defense_evasion_unusual_process_network_connection.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies network activity from unexpected system applications. This may indica
 applications are often leveraged by adversaries to execute code and evade detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Process Network Connection"

rules/windows/defense_evasion_wsl_filesystem.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/12"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -13,7 +13,7 @@ Detects files creation and modification on the host system from the the Windows
 Adversaries may enable and use WSL for Linux to avoid detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Host Files System Changes via Windows Subsystem for Linux"

rules/windows/discovery_active_directory_webservice.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/31"
+updated_date = "2024/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies processes loading Active Directory related modules followed by a netw
 Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.library-*", "logs-endpoint.events.network-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Enumeration via Active Directory Web Service"

rules/windows/execution_command_prompt_connecting_to_the_internet.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [transform]
 [[transform.osquery]]
@@ -44,7 +44,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Command Prompt Network Connection"

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ malicious code in a CHM file and deliver it to a victim for execution. CHM conte
 program (hh.exe).
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network Connection via Compiled HTML File"

rules/windows/execution_ms_office_written_file.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies an executable created by a Microsoft Office application and subsequen
 launched via scripts inside documents or during exploitation of Microsoft Office applications.
 """
 from = "now-120m"
-index = ["logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "endgame-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"

rules/windows/execution_pdf_written_file.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/08"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies a suspicious file that was written by a PDF reader application and su
 often launched via exploitation of PDF applications.
 """
 from = "now-120m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"