[Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825)

* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs

* .

* Update integration-schemas.json.gz

* Fix integration manifests

(cherry picked from commit 54d5b44)

Author: w0rk3r

detection_rules/etc/integration-manifests.json.gz

@@ -41,7 +41,8 @@
                         'system',
                         'windows',
                         'sentinel_one_cloud_funnel',
-                        'ti_rapid7_threat_command']
+                        'ti_rapid7_threat_command',
+                        'm365_defender']
 NON_PUBLIC_FIELDS = {
     "related_integrations": (Version.parse('8.3.0'), None),
     "required_fields": (Version.parse('8.3.0'), None),

detection_rules/etc/integration-schemas.json.gz

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/12/15"
-integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/06/11"
+updated_date = "2024/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ mailbox or archive to a .pst file. Adversaries may target user email to collect
 """
 false_positives = ["Legitimate exchange system administration activity."]
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Exporting Exchange Mailbox via PowerShell"
@@ -74,7 +74,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest
 For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"]
 timestamp_override = "event.ingested"
 type = "eql"
 

detection_rules/schemas/definitions.py

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/10/14"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/06/11"
+updated_date = "2024/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T
 enable routing of network packets that would otherwise not reach their intended destination.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Remote Desktop Tunneling Detected"
@@ -72,7 +72,8 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
-    "Data Source: SentinelOne"
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/collection_email_powershell_exchange_mailbox.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2024/03/27"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/06/11"
+updated_date = "2024/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies suspicious processes being spawned by the ScreenConnect client proces
 abusing unauthorized access to the ScreenConnect remote access software.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious ScreenConnect Client Child Process"
@@ -30,7 +30,8 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: Sysmon",
-    "Data Source: SentinelOne"
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/command_and_control_rdp_tunnel_plink.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/13"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/06/11"
+updated_date = "2024/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the creation or modification of Domain Backup private keys. Adversari
 (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Creation or Modification of Domain Backup DPAPI private key"
@@ -36,7 +36,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest
 For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 """
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/command_and_control_screenconnect_childproc.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/08/23"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/06/11"
+updated_date = "2024/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -14,14 +14,14 @@ Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as P
 attacker to impersonate users using Kerberos tickets.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Kirbi File Creation"
 risk_score = 47
 rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/03/02"
-integration = ["endpoint"]
+integration = ["endpoint", "m365_defender"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/25"
 
 [transform]
 [[transform.osquery]]
@@ -34,7 +34,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
 author = ["Elastic"]
 description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n"
 from = "now-9m"
-index = ["logs-endpoint.events.api-*"]
+index = ["logs-endpoint.events.api-*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "LSASS Process Access via Windows API"
@@ -112,16 +112,15 @@ tags = [
     "Tactic: Credential Access",
     "Tactic: Execution",
     "Data Source: Elastic Defend",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 api where host.os.type == "windows" and 
   process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and 
-  not 
-  (
-    process.executable : (
+  not process.executable : (
         "?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe",
         "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
         "?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe",
@@ -158,7 +157,6 @@ api where host.os.type == "windows" and
         "?:\\Windows\\System32\\RtkAudUService64.exe",
         "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
         "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe"
-    ) and process.code_signature.trusted == true
   )
 '''
 

rules/windows/credential_access_kirbi_file.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/01/17"
-integration = ["windows", "endpoint", "sentinel_one_cloud_funnel"]
+integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/06/11"
+updated_date = "2024/06/25"
 
 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusu
 attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Antimalware Scan Interface DLL"
@@ -104,7 +104,8 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Elastic Defend",
     "Data Source: Sysmon",
-    "Data Source: SentinelOne"
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/credential_access_lsass_openprocess_api.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/01/19"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "m365_defender"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ when the name or location of a file is manipulated as a means of tricking a user
 benign file type but is actually executable code.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Executable File Creation with Multiple Extensions"
@@ -35,6 +35,7 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -43,8 +44,7 @@ query = '''
 file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and
   file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and
   not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and
-       file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and
-  not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl")
+       file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe")
 '''
 
 

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "m365_defender"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -18,6 +18,7 @@ index = [
     "logs-windows.*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*"
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -40,6 +41,7 @@ tags = [
     "Tactic: Defense Evasion",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/defense_evasion_file_creation_mult_extension.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/11/01"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/06/11"
+updated_date = "2024/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ default) and is set to 1, then remote connections from all local members of Admi
 high-integrity tokens during negotiation.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Local Account TokenFilter Policy Disabled"
@@ -35,7 +35,8 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: Sysmon",
-    "Data Source: SentinelOne"
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/defense_evasion_masquerading_trusted_directory.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/09/03"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/06/11"
+updated_date = "2024/06/25"
 
 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ A suspicious Zoom child process was detected, which may indicate an attempt to r
 such as command line, network connections, file writes and associated file signature details as well.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Zoom Child Process"
@@ -97,7 +97,7 @@ This rule identifies a potential malicious process masquerading as `Zoom.exe` or
 risk_score = 47
 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "m365_defender"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/25"
 
 [transform]
 [[transform.osquery]]
@@ -43,6 +43,7 @@ index = [
     "logs-windows.*",
     "endgame-*",
     "logs-system.security*",
+    "logs-m365_defender.event-*"
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -110,6 +111,7 @@ tags = [
     "Data Source: Elastic Endgame",
     "Resources: Investigation Guide",
     "Data Source: Elastic Defend",
+    "Data Source: Microsoft Defender for Endpoint"
 ]
 timestamp_override = "event.ingested"
 type = "eql"