[Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (elastic#4447)

Author: w0rk3r

rules/macos/credential_access_credentials_keychains.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ for macOS to keep track of users' passwords and credentials for many services an
 websites, secure notes and certificates.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Access to Keychain Credentials Directories"

rules/macos/credential_access_dumping_keychain_security.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ built-in way for macOS to keep track of users' passwords and credentials for man
 and website passwords, secure notes, certificates, and Kerberos.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Dumping of Keychain Content via Security Command"

rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/01/06"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ and website passwords, secure notes, certificates, and Kerberos.
 """
 false_positives = ["Applications for password management."]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Keychain Password Retrieval via Command Line"

rules/macos/credential_access_promt_for_pwd_via_osascript.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/16"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies the use of osascript to execute scripts via standard input that may p
 credentials.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Prompt for Credentials with OSASCRIPT"

rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ downloaded from the internet, there is a quarantine flag set on the file. This a
 defense program at execution time. An adversary may disable this attribute to evade defenses.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Quarantine Attrib Removed by Unsigned or Untrusted Process"

rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ indicate an attempt to bypass macOS privacy controls, including access to sensit
 microphone, address book, and calendar.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Privacy Control Bypass via TCCDB Modification"

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/01/11"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Daemon (sshd) to the authorized application list for Full Disk Access. This may
 privacy controls to access sensitive files.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Privacy Control Bypass via Localhost Secure Copy"

rules/macos/discovery_users_domain_built_in_commands.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/12"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands related to account or group
 and group information to orient themselves before deciding how to act.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration of Users or Groups via Built-in Commands"

rules/macos/execution_initial_access_suspicious_browser_childproc.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ visiting a website over the normal course of browsing. With this technique, the
 for exploitation.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Browser Child Process"

rules/macos/execution_installer_package_spawned_network_event.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/02/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
  """,
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "MacOS Installer Package Spawns Network Event"