Description
Related
Overview
Recently, TRADE added logs-system.* indexes to rules that were compatible, dependent on query logic and schemas. @Samirbous identified ~60 rules that were compatible with Event 4688 and made the necessary adjustments.
A community member followed up shortly after with additional rules and potential data stream compatibility overlap. This is fantastic work and we should update what rules have been mentioned, as well as explore any other potentials.
The following comment was made as well. This will align with our third-party EDR support initiative so it may be best to task it to our internally tracked issues regarding this matter.
Rule will work with crowdstrike FDR intergration - Unusual Process Network Connection
Note: They are replacing beats with the elastic agent, so integrations like Windows, Elastic Defend and System are potentially bound to be used. Either way we should address compatibility in general.
Stretch
As discussed with @Samirbous - We can potentially add unit test that checks for index overlap or missing indexes in a rule if Windows related. We parse the AST object, integration tag, and indexes, therefore may be able to set a unit test to identify when one or the other is missing.
Let's capture the semantics of this here and then we can create a separate issue for our DED area to handle.
