[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1

rules/linux/command_and_control_tunneling_via_earthworm.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2021/04/12"
-integration = ["endpoint"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/05/21"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
+min_stack_version = "8.13.0"
+updated_date = "2025/01/06"
 
 [transform]
 [[transform.osquery]]
@@ -38,7 +40,7 @@ system within a separate protocol to avoid detection and network filtering, or t
 systems.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Protocol Tunneling via EarthWorm"
@@ -155,6 +157,8 @@ tags = [
  "Tactic: Command and Control",
  "Data Source: Elastic Endgame",
  "Data Source: Elastic Defend",
+ "Data Source: Crowdstrike",
+ "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/linux/credential_access_ssh_backdoor_log.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/12/21"
-integration = ["endpoint"]
+integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/05/31"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
+min_stack_version = "8.13.0"
+updated_date = "2025/01/06"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +15,7 @@ enable unauthorized access or to log SSH credentials for exfiltration.
 """
 false_positives = ["Updates to approved and trusted SSH executables can trigger this rule."]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential OpenSSH Backdoor Logging Activity"
@@ -72,6 +74,7 @@ tags = [
  "Tactic: Credential Access",
  "Data Source: Elastic Endgame",
  "Data Source: Elastic Defend",
+ "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/linux/defense_evasion_chattr_immutable_file.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2022/07/22"
-integration = ["endpoint"]
+integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/10/17"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
+min_stack_version = "8.13.0"
+updated_date = "2025/01/06"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +15,7 @@ opened in write mode. Threat actors will commonly utilize this to prevent tamper
 files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -68,6 +70,7 @@ tags = [
  "Tactic: Defense Evasion",
  "Data Source: Elastic Endgame",
  "Data Source: Elastic Defend",
+ "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/linux/defense_evasion_creation_of_hidden_files_directories.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2023/08/23"
-integration = ["endpoint", "auditd_manager"]
+integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/10/18"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
+min_stack_version = "8.13.0"
+updated_date = "2025/01/06"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +13,7 @@ Identify activity related where adversaries can add the 'hidden' flag to files t
 to evade detection.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Hidden Files and Directories via Hidden Flag"
@@ -27,6 +29,7 @@ tags = [
  "Data Source: Elastic Defend",
  "Data Source: Elastic Endgame",
  "Data Source: Auditd Manager",
+ "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2024/08/28"
-integration = ["endpoint"]
+integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/28"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
+min_stack_version = "8.13.0"
+updated_date = "2025/01/06"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +14,7 @@ or modify the Doas configuration file to elevate privileges and execute commands
 evade detection.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.file*", "endgame-*"]
+index = ["logs-endpoint.events.file*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Defense Evasion via Doas"
@@ -52,6 +54,7 @@ tags = [
  "Tactic: Defense Evasion",
  "Data Source: Elastic Defend",
  "Data Source: Elastic Endgame",
+ "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/linux/defense_evasion_file_deletion_via_shred.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/04/27"
-integration = ["endpoint"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/05/21"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
+min_stack_version = "8.13.0"
+updated_date = "2025/01/06"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +14,7 @@ a network and how. Adversaries may remove these files over the course of an intr
 remove them at the end as part of the post-intrusion cleanup process.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "File Deletion via Shred"
@@ -51,6 +53,8 @@ tags = [
  "Tactic: Defense Evasion",
  "Data Source: Elastic Defend",
  "Data Source: Elastic Endgame",
+ "Data Source: Crowdstrike",
+ "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/linux/defense_evasion_hidden_shared_object.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2022/07/20"
-integration = ["endpoint"]
+integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/05/21"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
+min_stack_version = "8.13.0"
+updated_date = "2025/01/06"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +14,7 @@ a "." as the first character in the file or folder name. Adversaries can use thi
 folders on the system for persistence and defense evasion.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -67,6 +69,7 @@ tags = [
  "Tactic: Defense Evasion",
  "Data Source: Elastic Endgame",
  "Data Source: Elastic Defend",
+ "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/linux/defense_evasion_ld_so_creation.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2024/12/16"
-integration = ["endpoint"]
+integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/12/16"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
+min_stack_version = "8.13.0"
+updated_date = "2025/01/06"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +14,7 @@ needed by an executable. Attackers may attempt to replace the dynamic linker wit
 arbitrary code.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.file*"]
+index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Dynamic Linker (ld.so) Creation"
@@ -52,6 +54,8 @@ tags = [
  "Tactic: Execution",
  "Tactic: Persistence",
  "Data Source: Elastic Defend",
+ "Data Source: SentinelOne",
+ "Data Source: Elastic Endgame",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/linux/defense_evasion_log_files_deleted.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/03"
-integration = ["endpoint"]
+integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/09/23"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
+min_stack_version = "8.13.0"
+updated_date = "2025/01/06"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies the deletion of sensitive Linux system logs. This may indicate an att
 forensic evidence on a system.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "System Log File Deletion"
@@ -69,6 +71,7 @@ tags = [
  "Tactic: Defense Evasion",
  "Data Source: Elastic Endgame",
  "Data Source: Elastic Defend",
+ "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2024/08/28"
-integration = ["endpoint"]
+integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/08/28"
+min_stack_comments = "Breaking change at 8.16.2 for the SentinelOne Integration."
+min_stack_version = "8.16.2"
+updated_date = "2025/01/06"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +14,7 @@ provides access control security policies. Modifications to the SELinux configur
 impair defenses by disabling or modifying security tools.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.file*", "endgame-*"]
+index = ["logs-endpoint.events.file*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "SELinux Configuration Creation or Renaming"
@@ -51,7 +53,8 @@ tags = [
  "Use Case: Threat Detection",
  "Tactic: Defense Evasion",
  "Data Source: Elastic Endgame",
- "Data Source: Elastic Defend"
+ "Data Source: Elastic Defend",
+ "Data Source: SentinelOne"
 ]
 timestamp_override = "event.ingested"
 type = "eql"