diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index edf2c027b3c..01483291592 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2021/04/12" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2025/01/06" [transform] [[transform.osquery]] @@ -38,7 +40,7 @@ system within a separate protocol to avoid detection and network filtering, or t systems. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via EarthWorm" @@ -155,6 +157,8 @@ tags = [ "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 9b31e528a44..bbd78ee7232 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/12/21" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/31" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2025/01/06" [rule] author = ["Elastic"] @@ -13,7 +15,7 @@ enable unauthorized access or to log SSH credentials for exfiltration. """ false_positives = ["Updates to approved and trusted SSH executables can trigger this rule."] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential OpenSSH Backdoor Logging Activity" @@ -72,6 +74,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 63afb25e1d3..6d5ba1837fd 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2022/07/22" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/17" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2025/01/06" [rule] author = ["Elastic"] @@ -13,7 +15,7 @@ opened in write mode. Threat actors will commonly utilize this to prevent tamper files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -68,6 +70,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml b/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml index 85596ec3685..ca6700c78de 100644 --- a/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml +++ b/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/08/23" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/18" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2025/01/06" [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Identify activity related where adversaries can add the 'hidden' flag to files t to evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Hidden Files and Directories via Hidden Flag" @@ -27,6 +29,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml index 812ed4ba684..1b325e4f75f 100644 --- a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml +++ b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/08/28" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/28" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2025/01/06" [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ or modify the Doas configuration file to elevate privileges and execute commands evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.file*", "endgame-*"] +index = ["logs-endpoint.events.file*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via Doas" @@ -52,6 +54,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index c14918a6bd2..e942a964e63 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/04/27" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2025/01/06" [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ a network and how. Adversaries may remove these files over the course of an intr remove them at the end as part of the post-intrusion cleanup process. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "File Deletion via Shred" @@ -51,6 +53,8 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index f320147a67b..3f6201d9255 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2022/07/20" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2025/01/06" [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ a "." as the first character in the file or folder name. Adversaries can use thi folders on the system for persistence and defense evasion. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -67,6 +69,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_ld_so_creation.toml b/rules/linux/defense_evasion_ld_so_creation.toml index b6d1c22b3f0..e7cda7b8898 100644 --- a/rules/linux/defense_evasion_ld_so_creation.toml +++ b/rules/linux/defense_evasion_ld_so_creation.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/12/16" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/12/16" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2025/01/06" [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ needed by an executable. Attackers may attempt to replace the dynamic linker wit arbitrary code. """ from = "now-9m" -index = ["logs-endpoint.events.file*"] +index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Dynamic Linker (ld.so) Creation" @@ -52,6 +54,8 @@ tags = [ "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 391cd6f5e04..4004647cc05 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/03" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/09/23" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2025/01/06" [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Identifies the deletion of sensitive Linux system logs. This may indicate an att forensic evidence on a system. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "System Log File Deletion" @@ -69,6 +71,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml b/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml index 342d5bdbc2f..46d5a10dc28 100644 --- a/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml +++ b/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/08/28" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/28" +min_stack_comments = "Breaking change at 8.16.2 for the SentinelOne Integration." +min_stack_version = "8.16.2" +updated_date = "2025/01/06" [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ provides access control security policies. Modifications to the SELinux configur impair defenses by disabling or modifying security tools. """ from = "now-9m" -index = ["logs-endpoint.events.file*", "endgame-*"] +index = ["logs-endpoint.events.file*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "SELinux Configuration Creation or Renaming" @@ -51,7 +53,8 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql"