From e6dc0fedddc8bfc68fcd5fe2e6a9bd3386313a2d Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 23 Apr 2025 20:14:39 -0300 Subject: [PATCH] [Rule Tuning] Replace legacy winlog.api usage --- .../defense_evasion_clearing_windows_security_logs.toml | 4 ++-- rules/windows/persistence_group_modification_by_system.toml | 4 ++-- ...ersistence_user_account_added_to_privileged_group_ad.toml | 4 ++-- .../persistence_user_account_creation_event_logs.toml | 5 ++--- 4 files changed, 8 insertions(+), 9 deletions(-) diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 6536cdf6cd8..615f707a63b 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/04/23" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -62,7 +62,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" and +host.os.type:windows and event.action:("audit-log-cleared" or "Log clear") and not winlog.provider_name:"AD FS Auditing" ''' diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index 2898f609ef9..ddc052d6393 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/04/23" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where winlog.api == "wineventlog" and event.code == "4728" and +iam where host.os.type == "windows" and event.code == "4728" and winlog.event_data.SubjectUserSid : "S-1-5-18" and /* DOMAIN_USERS and local groups */ diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index edcaee98237..9ea9d88ef5e 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/04/23" [rule] author = ["Elastic", "Skoetting"] @@ -65,7 +65,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where winlog.api == "wineventlog" and event.action == "added-member-to-group" and +iam where host.os.type == "windows" and event.action == "added-member-to-group" and ( ( group.name : ( diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 39e50dc0b52..bb9e867252b 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["system", "windows"] maturity = "development" -updated_date = "2025/02/21" +updated_date = "2025/04/23" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -31,8 +31,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.module:("system" or "security") and winlog.api:"wineventlog" and - (event.code:"4720" or event.action:"added-user-account") +host.os.type:windows and event.module:("system" or "security") and (event.code:"4720" or event.action:"added-user-account") ''' note = """## Triage and analysis