[Rule Tuning] Remove host.os.type Unit Test Forwarded Events Exception

[w0rk3r]

Issues

Resolves #5045

Summary

As we no longer have the limitation of the Forwarded Logs not populating the host.os.type field, this PR removes the exception from the unit tests and adjust the rules.

[github-actions]

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

• Detailed description of the suggested changes.
• Provide example JSON data or screenshots.
• Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
• Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
• Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
• Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
• Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
• Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
• Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
• Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
• Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
• Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

• updated_date matches the date of tuning PR merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

• Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
• Ensure that the tuned rule has a low false positive rate.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ User account exposed to Kerberoasting (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Account Password Reset Remotely (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Delegated Managed Service Account Modification by an Unusual User (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Creation via Secondary Logon (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Multiple Vault Web Credentials Read (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Remote Registry Access via SeBackupPrivilege (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Multiple Logon Failure from the same Source Address (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Multiple Logon Failure Followed by Logon Success (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ FirstTime Seen Account Performing DCSync (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AdminSDHolder SDProp Exclusion Added (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Modification of the msPKIAccountCredentials (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Access to LDAP Attributes (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Remote Computer Account DnsHostName Update (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AdminSDHolder Backdoor (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious SeIncreaseBasePriorityPrivilege Use (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Access to a Sensitive LDAP Attribute (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Shadow Credentials added to AD Object (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Temporarily Scheduled Task Creation (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ A scheduled task was created (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Remote Scheduled Task Creation via RPC (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Scheduled Task Update (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Privileged Escalation via SamAccountName Spoofing (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Remote Windows Service Installed (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Machine Account Relay Attack via SMB (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Service was Installed in the System (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ KRBTGT Delegation Backdoor (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Service Creation via Local Kerberos Authentication (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious WMI Event Subscription Created (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ dMSA Account Creation by an Unusual User (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Privilege SeEnableDelegationPrivilege assigned to a User (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Kerberos Coercion via DNS-Based SPN Spoofing (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Active Directory Replication Account Backdoor (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Privileged Account Brute Force (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[Mikaayenson]

Looks good in general. Can you add back port test output to the summary?

[eric-forte-elastic]

Just as a note for backport testing, I think for this case it will be slightly different from a normal backport test, as I think the main test is to see if the addition of the host.os.type needs to be min stacked.

As it sits right now, if one were to run this test against 8.19 rules, it would fail like this:

>               self.assertIn("host.os.type", fields, err_msg)
E               AssertionError: 'host.os.type' not found in ['event.action', 'winlog.logon.type', 'source.ip', 'source.ip', 'source.ip', 'user.name', 'winlog.event_data.Status', 'winlog.computer_name', 'source.ip', 'event.action', 'winlog.logon.type', 'source.ip', 'source.ip', 'source.ip', 'user.name', 'winlog.event_data.Status', 'winlog.computer_name', 'source.ip', 'event.action', 'winlog.logon.type', 'source.ip', 'source.ip', 'source.ip', 'user.name', 'winlog.event_data.Status', 'winlog.computer_name', 'source.ip', 'event.action', 'winlog.logon.type', 'source.ip', 'source.ip', 'source.ip', 'user.name', 'winlog.event_data.Status', 'winlog.computer_name', 'source.ip', 'event.action', 'winlog.logon.type', 'source.ip', 'source.ip', 'source.ip', 'user.name', 'winlog.event_data.Status', 'winlog.computer_name', 'source.ip'] : f9790abf-bd0c-45f9-8b5f-d0b74015e029 - Privileged Account Brute Force -> missing required field for endpoint rule

But this is not accurate to what would fail post-merge. This would only be the case for rules that have a min stack of 9.0+.

[eric-forte-elastic]

Spot checking a few index templates in 8.19.7 the host.os.type field is there
E.g. logs-windows.applocker_exe_and_dll Integrations file Diff

Full index mapping (prior to adding agent)
logs-windows.applocker_exe_and_dll.json

Relevant Excerpt

"host": {
...

            "os": {
              "properties": {
                "build": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
...
                "type": {
                  "type": "keyword",
                  "ignore_above": 1024
                },

Also present in sysmon_operational (ref)

Full index template ref:

logs-windows.sysmon_operational .json

[eric-forte-elastic]

🟢 Manual review, see above testing/evidence looks good to me! 👍