[Rule Tuning] Adapt Rules to work with Sysmon

[w0rk3r]

Summary

Some rules exclude all SYSTEM activity by excluding the S-1-5-18 user.id, the problem is that every sysmon event contains that SID (ref), so these rules could never trigger on its events. Here are 2 examples:

When we use the SID but can still support the datasource:

registry where host.os.type == "windows" and registry.path : ( "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType", "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" ) and registry.data.strings : ("2", "0x00000002") and not (process.executable : "?:\\Windows\\system32\\svchost.exe" and user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")) 

Here we are excluding a specific process, so we still support the data source as that exclusion will hit on any occurrence of "?:\\Windows\\system32\\svchost.exe", so alerts will still be generated otherwise.

When it will never trigger:

[...] [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and not (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and [...] 

The not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20" condition applies to all of the events, it is not specific to a process, so it will always match and the rule will never be triggered.

[github-actions]

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

• Detailed description of the suggested changes.
• Provide example JSON data or screenshots.
• Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
• Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
• Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
• Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
• Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
• Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
• Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
• Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
• Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
• Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

• updated_date matches the date of tuning PR merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

• Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
• Ensure that the tuned rule has a low false positive rate.

[tradebot-elastic]

⛔️ Tests failed:

[tradebot-elastic]

⛔️ Tests failed:

• ❌ Potential File Transfer via Curl for Windows (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Whoami Process Activity (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ WMI Incoming Lateral Movement (eql)
  • stack_validation_failed: no_alerts - 0 alerts

[tradebot-elastic]

⛔️ Tests failed:

• ❌ Potential File Transfer via Curl for Windows (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Whoami Process Activity (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ WMI Incoming Lateral Movement (eql)
  • stack_validation_failed: no_alerts - 0 alerts

[tradebot-elastic]

⛔️ Tests failed:

• ❌ Potential File Transfer via Curl for Windows (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Whoami Process Activity (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ WMI Incoming Lateral Movement (eql)
  • stack_validation_failed: no_alerts - 0 alerts

[tradebot-elastic]

⛔️ Tests failed:

• ❌ Potential File Transfer via Curl for Windows (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Whoami Process Activity (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ WMI Incoming Lateral Movement (eql)
  • stack_validation_failed: no_alerts - 0 alerts

[tradebot-elastic]

⛔️ Tests failed:

• ❌ Potential File Transfer via Curl for Windows (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ Whoami Process Activity (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ❌ WMI Incoming Lateral Movement (eql)
  • stack_validation_failed: no_alerts - 0 alerts