[Rule Tuning] Make Rules Compatible with Windows Forwarded Logs

rules/windows/credential_access_bruteforce_admin_account.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/03/02"
+updated_date = "2023/04/27"
 
 [transform]
 [[transform.osquery]]
@@ -106,8 +106,7 @@ type = "eql"
 
 query = '''
 sequence by winlog.computer_name, source.ip with maxspan=10s
-  [authentication where host.os.type == "windows" and event.action == "logon-failed" and
-    winlog.logon.type : "Network" and
+  [authentication where event.action == "logon-failed" and winlog.logon.type : "Network" and
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and user.name : "*admin*" and
 
     /* noisy failure status codes often associated to authentication misconfiguration */

rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/03/07"
+updated_date = "2023/04/27"
 
 [transform]
 [[transform.osquery]]
@@ -110,15 +110,15 @@ type = "eql"
 
 query = '''
 sequence by winlog.computer_name, source.ip with maxspan=5s
-  [authentication where host.os.type == "windows" and event.action == "logon-failed" and
+  [authentication where event.action == "logon-failed" and
     /* event 4625 need to be logged */
     winlog.logon.type : "Network" and
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and
     not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY" and
 
     /* noisy failure status codes often associated to authentication misconfiguration */
     not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5
-  [authentication where host.os.type == "windows" and event.action == "logged-in" and
+  [authentication where event.action == "logged-in" and
     /* event 4624 need to be logged */
     winlog.logon.type : "Network" and
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and

rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/03/07"
+updated_date = "2023/04/27"
 
 [transform]
 [[transform.osquery]]
@@ -115,7 +115,7 @@ type = "eql"
 
 query = '''
 sequence by winlog.computer_name, source.ip with maxspan=10s
-  [authentication where host.os.type == "windows" and event.action == "logon-failed" and
+  [authentication where event.action == "logon-failed" and
     /* event 4625 need to be logged */
     winlog.logon.type : "Network" and
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and

rules/windows/credential_access_dcsync_newterm_subjectuser.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
 min_stack_version = "8.4.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -52,7 +52,7 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-event.action:"Directory Service Access" and host.os.type:windows and event.code:"4662" and
+event.action:"Directory Service Access" and event.code:"4662" and
  winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
                                *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
                                *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and

rules/windows/credential_access_dcsync_replication_rights.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -98,7 +98,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where host.os.type == "windows" and event.action == "Directory Service Access" and
+any where event.action == "Directory Service Access" and
   event.code == "4662" and winlog.event_data.Properties : (
 
     /* Control Access Rights/Permissions Symbol */

rules/windows/credential_access_disable_kerberos_preauth.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -75,7 +75,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:4738 and host.os.type:windows and message:"'Don't Require Preauth' - Enabled"
+event.code:4738 and winlog.api:"wineventlog" and message:"'Don't Require Preauth' - Enabled"
 '''
 
 

rules/windows/credential_access_ldap_attributes.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -48,7 +48,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where host.os.type == "windows" and event.action == "Directory Service Access" and event.code == "4662" and
+any where event.action == "Directory Service Access" and event.code == "4662" and
 
   not winlog.event_data.SubjectUserSid : "S-1-5-18" and
 

rules/windows/credential_access_lsass_memdump_handle_access.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/27"
+updated_date = "2023/04/27"
 
 [transform]
 [[transform.osquery]]
@@ -134,7 +134,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where host.os.type == "windows" and event.action == "File System" and event.code == "4656" and
+any where event.action == "File System" and event.code == "4656" and
 
     winlog.event_data.ObjectName : (
         "?:\\Windows\\System32\\lsass.exe",

rules/windows/credential_access_remote_sam_secretsdump.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -82,7 +82,7 @@ sequence by host.id, user.id with maxspan=1m
    event.outcome == "success" and event.action == "logged-in" and
    winlog.logon.type == "Network" and not user.name == "ANONYMOUS LOGON" and
    not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"]
- [file where host.os.type == "windows" and event.action == "creation" and process.name : "svchost.exe" and
+ [file where event.action == "creation" and process.name : "svchost.exe" and
   file.Ext.header_bytes : "72656766*" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and file.size >= 30000 and
   not file.path :
            ("?:\\Windows\\system32\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry",

rules/windows/credential_access_saved_creds_vault_winlog.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -37,11 +37,11 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s
 
  /* 2 consecutive vault reads from same pid for web creds */
 
- [any where host.os.type == "windows" and event.code : "5382" and
+ [any where event.code : "5382" and
   (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and
   not winlog.event_data.SubjectLogonId : "0x3e7"]
 
- [any where host.os.type == "windows" and event.code : "5382" and
+ [any where event.code : "5382" and
   (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and
   not winlog.event_data.SubjectLogonId : "0x3e7"]
 '''

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -90,7 +90,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:"Authorization Policy Change" and host.os.type:windows and event.code:4704 and
+event.action:"Authorization Policy Change" and event.code:4704 and
   winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege"
 '''
 

rules/windows/credential_access_shadow_credentials.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -92,7 +92,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:"Directory Service Changes" and host.os.type:windows and event.code:"5136" and
+event.action:"Directory Service Changes" and event.code:"5136" and
  winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and winlog.event_data.AttributeValue :B\:828* and
  not winlog.event_data.SubjectUserName: MSOL_*
 '''

rules/windows/credential_access_spn_attribute_modified.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -99,8 +99,8 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:"Directory Service Changes" and host.os.type:windows and
-  event.code:5136 and winlog.event_data.ObjectClass:"user" and
+event.action:"Directory Service Changes" and event.code:5136 and
+  winlog.event_data.ObjectClass:"user" and
   winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName"
 '''
 

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -89,12 +89,12 @@ type = "eql"
 
 query = '''
 sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m
- [iam where host.os.type == "windows" and event.action == "logged-in-special"  and
+ [iam where event.action == "logged-in-special"  and
   winlog.event_data.PrivilegeList : "SeBackupPrivilege" and
 
   /* excluding accounts with existing privileged access */
   not winlog.event_data.PrivilegeList : "SeDebugPrivilege"]
- [any where host.os.type == "windows" and event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"]
+ [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"]
 '''
 
 

rules/windows/defense_evasion_clearing_windows_security_logs.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic", "Anabella Cristaldi"]
@@ -56,7 +56,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:("audit-log-cleared" or "Log clear") and host.os.type:windows
+event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog"
 '''
 
 

rules/windows/discovery_privileged_localgroup_membership.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/27"
+updated_date = "2023/04/27"
 
 [transform]
 [[transform.osquery]]
@@ -117,7 +117,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-iam where host.os.type == "windows" and event.action == "user-member-enumerated" and
+iam where event.action == "user-member-enumerated" and
 
   /* excluding machine account */
   not winlog.event_data.SubjectUserName: ("*$", "LOCAL SERVICE", "NETWORK SERVICE") and

rules/windows/execution_posh_hacktool_functions.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/17"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2023/04/05"
+updated_date = "2023/04/27"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -13,7 +13,7 @@ Detects known PowerShell offensive tooling functions names in PowerShell scripts
 offensive tools without modifying the code. This rule aim is to take advantage of that.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential PowerShell HackTool Script by Function Names"

rules/windows/lateral_movement_remote_service_installed_winlog.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -25,9 +25,9 @@ type = "eql"
 
 query = '''
 sequence by winlog.logon.id, winlog.computer_name with maxspan=1m
-[authentication where host.os.type == "windows" and event.action == "logged-in" and winlog.logon.type : "Network" and
+[authentication where event.action == "logged-in" and winlog.logon.type : "Network" and
 event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"]
-[iam where host.os.type == "windows" and event.action == "service-installed" and
+[iam where event.action == "service-installed" and
  not winlog.event_data.SubjectLogonId : "0x3e7" and
  not winlog.event_data.ServiceFileName :
                ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe",

rules/windows/lateral_movement_remote_task_creation_winlog.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -56,12 +56,12 @@ query = '''
 /* Network Logon followed by Scheduled Task creation  */
 
 sequence by winlog.computer_name with maxspan=1m
-  [authentication where host.os.type == "windows" and event.action == "logged-in" and
+  [authentication where event.action == "logged-in" and
    winlog.logon.type == "Network" and event.outcome == "success" and
    not user.name == "ANONYMOUS LOGON" and not winlog.event_data.SubjectUserName : "*$" and
    not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"] by winlog.event_data.TargetLogonId
 
-  [iam where host.os.type == "windows" and event.action == "scheduled-task-created"] by winlog.event_data.SubjectLogonId
+  [iam where event.action == "scheduled-task-created"] by winlog.event_data.SubjectLogonId
 '''
 
 

rules/windows/persistence_ad_adminsdholder.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/27"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:"Directory Service Changes" and host.os.type:windows and event.code:5136 and
+event.action:"Directory Service Changes" and event.code:5136 and
   winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*
 '''