-
Notifications
You must be signed in to change notification settings - Fork 469
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Convert windows rules from KQL to EQL #1114
Convert windows rules from KQL to EQL #1114
Conversation
rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml
Outdated
Show resolved
Hide resolved
rules/windows/credential_access_credential_dumping_msbuild.toml
Outdated
Show resolved
Hide resolved
rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
Outdated
Show resolved
Hide resolved
rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
Outdated
Show resolved
Hide resolved
rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
Outdated
Show resolved
Hide resolved
rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
Outdated
Show resolved
Hide resolved
…le_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
…s & removed endpoint index
@Samirbous thanks for all the enhancements to the rules! From a quick glance they look good, but are beyond the original scope of this PR. For some more context and sharing my process: One of the biggest downsides of scope and having multiple contributors making commits to a PR is that it's hard for them to coordinate and they have different goals in mind for what "done" means. It also makes it difficult as a reviewer because merging a PR is always all-or-nothing so additional changes could slow the merge. That said, in thinking that we might want to move your commits to a new PR (don't worry this can be done fairly painlessly and I'll be glad to help make it happen), so that we can get the KQL -> EQL conversion done first. Then it'll be easier to sort through all of the helpful contributions you made. |
@rw-access As long as they will be incorporated automagically I'm fine with that (most tuning were related to kql -> eql like replacing driver letter C with ?, few were quick adjustment to wrong syntax/logic like a rule with file where process.parent.name ... or process where dll.name ... ). |
rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
Show resolved
Hide resolved
rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml
Outdated
Show resolved
Hide resolved
rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
Outdated
Show resolved
Hide resolved
rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
Outdated
Show resolved
Hide resolved
rules/windows/defense_evasion_unusual_system_vp_child_program.toml
Outdated
Show resolved
Hide resolved
rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good after the suggestions are applied
…-to-eql # Conflicts: # rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml # rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml # rules/_deprecated/execution_command_shell_started_by_powershell.toml
rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml
Outdated
Show resolved
Hide resolved
rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
Outdated
Show resolved
Hide resolved
rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
Outdated
Show resolved
Hide resolved
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Issues
resolves #1113
Summary
Converts all windows KQL rules to EQL for case resiliency.
For reviewers
The most important thing for this review (in order)
==
to:
andin
to:
)