Overview of Windows Threats Category

This document provides an overview of the rule sets in the Windows Threats category, the required data sources, and configuration you can use to tune the alerts generated by these rule sets.

Rule sets in the Windows Threats category help identify threats in Microsoft Windows environments using Endpoint Detection and Response (EDR) logs. This category includes the following rule sets:

  • Anomalous PowerShell: Identifies PowerShell commands containing obfuscation techniques or other anomalous behavior.
  • Crypto Activity: Activity associated with suspicious crypto currency.
  • Hacktool: Freely available tool that may be deemed suspicious, but may potentially be legitimate depending on the organization's use.
  • Info Stealer: Tools used to steal credentials including passwords, cookies, crypto wallets, and other sensitive credentials.
  • Initial Access: Tools used to gain initial execution on a machine with suspicious behavior.
  • Legitimate but Misused: Legitimate software that is known to be abused for malicious purposes.
  • Living off the Land (LotL) Binaries: Tools native to Microsoft Windows operating systems that can be abused by threat actors for malicious purposes.
  • Named Threat: Behavior associated with a known threat actor.
  • Ransomware: Activity associated with ransomware.
  • RAT: Tools used to provide remote command and control of network assets.
  • Security Posture Downgrade: Activity attempting to disable or decrease the effectiveness of security tools.
  • Suspicious Behavior: General suspicious behavior.

Supported devices and log types

Rule sets in the Windows Threats category have been tested and are supported with the following Chronicle supported EDR data sources:

  • Carbon Black (CB_EDR)
  • Microsoft Sysmon (WINDOWS_SYSMON)
  • SentinelOne (SENTINEL_EDR)
  • Crowdstrike Falcon (CS_EDR)

Rule sets in the Windows Threats category are being tested and optimized for the following Chronicle supported EDR data sources:

  • Tanium
  • Cybereason EDR (CYBEREASON_EDR)
  • Lima Charlie (LIMACHARLIE_EDR)
  • OSQuery
  • Zeek
  • Cylance (CYLANCE_PROTECT)

Contact your Chronicle representative if you are collecting endpoint data using different EDR software.

For a list of all Chronicle supported data sources, see Supported default parsers.

Required fields needed by Windows Threats category

The following section describes specific data needed by rule sets in the Windows Threats category to get the greatest benefit. Make sure that your devices are configured to record the following data to device event logs.

  • Event Timestamp
  • Hostname: Hostname of the system where the EDR software is running.
  • Principal Process: Name of the current process being logged.
  • Principal Process Path: Location on disk of the current running process, if available.
  • Principal Process Command Line: Command line parameters of the process, if available.
  • Target Process: Name of the spawned process being launched by the principal process.
  • Target Process Path: Location on disk of the target process, if available.
  • Target Process Command Line: Command line parameters of the target process, if available.
  • Target Process SHA256\MD5: Checksum of the target process, if available. This is used to tune alerts.
  • User ID: The username of the principal process.

Tuning alerts returned by Windows Threats category

You can reduce the number of detections a rule or rule set generates using rule exclusions.

A rule exclusion defines the criteria used to exclude an event from being evaluated by the rule set, or by specific rules in the rule set. Create one or more rule exclusions to help reduce the volume of detections. See Configure rule exclusions for information about how to do this.