[Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825)

* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs

* .

* Update integration-schemas.json.gz

* Fix integration manifests

Removed changes from:
- rules/windows/collection_email_powershell_exchange_mailbox.toml
- rules/windows/command_and_control_rdp_tunnel_plink.toml
- rules/windows/command_and_control_screenconnect_childproc.toml
- rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
- rules/windows/credential_access_kirbi_file.toml
- rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
- rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
- rules/windows/defense_evasion_suspicious_zoom_child_process.toml
- rules/windows/execution_command_shell_started_by_unusual_process.toml
- rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
- rules/windows/persistence_adobe_hijack_persistence.toml
- rules/windows/persistence_appcertdlls_registry.toml
- rules/windows/persistence_system_shells_via_services.toml

(selectively cherry picked from commit 54d5b44)

Author: w0rk3r

detection_rules/etc/integration-manifests.json.gz

@@ -41,7 +41,8 @@
                         'system',
                         'windows',
                         'sentinel_one_cloud_funnel',
-                        'ti_rapid7_threat_command']
+                        'ti_rapid7_threat_command',
+                        'm365_defender']
 NON_PUBLIC_FIELDS = {
     "related_integrations": (Version.parse('8.3.0'), None),
     "required_fields": (Version.parse('8.3.0'), None),

detection_rules/etc/integration-schemas.json.gz

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/03/02"
-integration = ["endpoint"]
+integration = ["endpoint", "m365_defender"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/25"
 
 [transform]
 [[transform.osquery]]
@@ -34,7 +34,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
 author = ["Elastic"]
 description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n"
 from = "now-9m"
-index = ["logs-endpoint.events.api-*"]
+index = ["logs-endpoint.events.api-*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "LSASS Process Access via Windows API"
@@ -112,16 +112,15 @@ tags = [
     "Tactic: Credential Access",
     "Tactic: Execution",
     "Data Source: Elastic Defend",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 api where host.os.type == "windows" and 
   process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and 
-  not 
-  (
-    process.executable : (
+  not process.executable : (
         "?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe",
         "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
         "?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe",
@@ -158,7 +157,6 @@ api where host.os.type == "windows" and
         "?:\\Windows\\System32\\RtkAudUService64.exe",
         "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
         "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe"
-    ) and process.code_signature.trusted == true
   )
 '''
 

detection_rules/schemas/definitions.py

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/01/19"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "m365_defender"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ when the name or location of a file is manipulated as a means of tricking a user
 benign file type but is actually executable code.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Executable File Creation with Multiple Extensions"
@@ -35,6 +35,7 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -43,8 +44,7 @@ query = '''
 file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and
   file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and
   not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and
-       file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and
-  not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl")
+       file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe")
 '''
 
 

rules/windows/credential_access_lsass_openprocess_api.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "m365_defender"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -18,6 +18,7 @@ index = [
     "logs-windows.*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*"
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -40,6 +41,7 @@ tags = [
     "Tactic: Defense Evasion",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/defense_evasion_file_creation_mult_extension.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "m365_defender"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/25"
 
 [transform]
 [[transform.osquery]]
@@ -43,6 +43,7 @@ index = [
     "logs-windows.*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*"
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -110,6 +111,7 @@ tags = [
     "Data Source: Elastic Endgame",
     "Resources: Investigation Guide",
     "Data Source: Elastic Defend",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/defense_evasion_masquerading_trusted_directory.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "system", "windows"]
+integration = ["endpoint", "system", "windows", "m365_defender"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Whoami Process Activity"
@@ -72,6 +72,7 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/defense_evasion_via_filter_manager.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/03/24"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -23,6 +23,7 @@ index = [
     "logs-windows.*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*"
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -41,6 +42,7 @@ tags = [
     "Data Source: Elastic Endgame",
     "Use Case: Vulnerability",
     "Data Source: Elastic Defend",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/discovery_whoami_command_activity.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/03/17"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/25"
 
 [transform]
 [[transform.osquery]]
@@ -43,6 +43,7 @@ index = [
     "logs-windows.*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*"
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -121,6 +122,7 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/initial_access_exploit_jetbrains_teamcity.toml

@@ -311,7 +311,8 @@ def test_required_tags(self):
             'logs-windows.sysmon_operational-*': {'all': ['Data Source: Sysmon']},
             'logs-windows.powershell*': {'all': ['Data Source: PowerShell Logs']},
             'logs-sentinel_one_cloud_funnel.*': {'all': ['Data Source: SentinelOne']},
-            'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']}
+            'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']},
+            'logs-m365_defender.event-*': {'all': ['Data Source: Microsoft Defender for Endpoint']}
         }
 
         for rule in self.all_rules: