Related

• #3390

Overview

Recently, TRADE added logs-system.* indexes to rules that were compatible, dependent on query logic and schemas. @Samirbous identified ~60 rules that were compatible with Event 4688 and made the necessary adjustments.

A community member followed up shortly after with additional rules and potential data stream compatibility overlap. This is fantastic work and we should update what rules have been mentioned, as well as explore any other potentials.

The following comment was made as well. This will align with our third-party EDR support initiative so it may be best to task it to our internally tracked issues regarding this matter.

Rule will work with crowdstrike FDR intergration - Unusual Process Network Connection

Note: They are replacing beats with the elastic agent, so integrations like Windows, Elastic Defend and System are potentially bound to be used. Either way we should address compatibility in general.

Stretch

As discussed with @Samirbous - We can potentially add unit test that checks for index overlap or missing indexes in a rule if Windows related. We parse the AST object, integration tag, and indexes, therefore may be able to set a unit test to identify when one or the other is missing.

Let's capture the semantics of this here and then we can create a separate issue for our DED area to handle.

###Update

I opened this PR to improve compatibility with system integration and solve a couple of other compatibility problems reported by users.

I opened this issue to ask for adjustments in some mappings for compatibility with Windows and system integration with Elastic Defend.