Pre-built set of rules still using SYSMON based detection (winlogbeat- *, event.code: 1, etc.) or using linguistic terms specific to an operating system (eg: Win 10 EN system user is SYSTEM, but Win 10 PT-BR system user is SISTEMA)

Pre-built set of rules still using SYSMON-based detection (winlogbeat- *, event.code: 1, etc.) or using linguistic terms specific to an operating system (eg Win 10 EN system user is SYSTEM, but Win 10 PT-BR system user is "SISTEMA").

Attached evidence.
With respect to using only the winlogbeat- * index for some rules, it may make sense to review all the pre-built rules so that we can also use the Endpoint Agent index (logs-endpoint.events. *) instead of just winlogbeat - *.

Another thing is about rules that contain specific linguistic terms for a certain version of Windows: since Elastic has customers in several countries, it might be good to adapt the rules so that they are agnostic about the language. It may be possible to detect otherwise that a command was run with the SYSTEM user, without having to specifically compare the name of the user who ran the command. Perhaps the SID/GID would be the best option, or the token related to the process

I am using ELK 7.9.2..

.

net1557×941 136 KB

whoami1603×950 141 KB

Sorry for a late reply,

I just stumbled on this and I should socialize this to a few people and see if they have seen this forum post yet or not. This looks like some valid questions and some interesting technical information and details about user based names.

So you know, the rules depot linked below is where all the feedback specific to rule content goes and they are pretty active on discussing and answering issues. You might do well creating an issue there about some of these things:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.