Merge PR #4791 from @nasbench - Promote older rules status from `expe…

…rimental` to `test`

chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>

rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml

@@ -1,6 +1,6 @@
 title: Potential Devil Bait Related Indicator
 id: 93d5f1b4-36df-45ed-8680-f66f242b8415
-status: experimental
+status: test
 description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf

rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml

@@ -3,7 +3,7 @@ id: e8954be4-b2b8-4961-be18-da1a5bda709c
 related:
     - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
       type: derived
-status: experimental
+status: test
 description: Detects specific process behavior observed with Devil Bait samples
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml

@@ -1,6 +1,6 @@
 title: Goofy Guineapig Backdoor IOC
 id: f0bafe60-1240-4798-9e60-4364b97e6bad
-status: experimental
+status: test
 description: Detects malicious indicators seen used by the Goofy Guineapig malware
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml

@@ -1,6 +1,6 @@
 title: Potential Goofy Guineapig Backdoor Activity
 id: 477a5ed3-a374-4282-9f3b-ed94e159a108
-status: experimental
+status: test
 description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml

@@ -1,6 +1,6 @@
 title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly
 id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
-status: experimental
+status: test
 description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml

@@ -1,6 +1,6 @@
 title: Goofy Guineapig Backdoor Potential C2 Communication
 id: 4f573bb6-701a-4b8d-91db-87ae106e9a61
-status: experimental
+status: test
 description: Detects potential C2 communication related to Goofy Guineapig backdoor
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml

@@ -1,6 +1,6 @@
 title: Goofy Guineapig Backdoor Service Creation
 id: 8c15dd74-9570-4f48-80b2-29996fd91ee6
-status: experimental
+status: test
 description: Detects service creation persistence used by the Goofy Guineapig backdoor
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml

@@ -1,6 +1,6 @@
 title: Small Sieve Malware File Indicator Creation
 id: 39466c42-c189-476a-989f-8cdb135c163a
-status: experimental
+status: test
 description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf

rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml

@@ -1,6 +1,6 @@
 title: Small Sieve Malware Potential C2 Communication
 id: b0422664-37a4-4e78-949a-4a139309eaf0
-status: experimental
+status: test
 description: Detects potential C2 communication related to Small Sieve malware
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml

@@ -1,6 +1,6 @@
 title: BlueSky Ransomware Artefacts
 id: eee8311f-a752-44f0-bf2f-6b007db16300
-status: experimental
+status: test
 description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
 references:
     - https://unit42.paloaltonetworks.com/bluesky-ransomware/

rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-25717 Exploitation Attempt
 id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe
-status: experimental
+status: test
 description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
 references:
     - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/

rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml

@@ -1,6 +1,6 @@
 title: Potential MOVEit Transfer CVE-2023-34362 Exploitation
 id: c3b2a774-3152-4989-83c1-7afc48fd1599
-status: experimental
+status: test
 description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
 references:
     - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/

rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml

@@ -1,6 +1,6 @@
 title: Potential Qakbot Rundll32 Execution
 id: cf879ffb-793a-4753-9a14-bc8f37cc90df
-status: experimental
+status: test
 description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
 references:
     - https://github.com/pr0xylife/Qakbot/

rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml

@@ -1,6 +1,6 @@
 title: Qakbot Rundll32 Exports Execution
 id: 339ed3d6-5490-46d0-96a7-8abe33078f58
-status: experimental
+status: test
 description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
 references:
     - https://github.com/pr0xylife/Qakbot/

rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml

@@ -1,6 +1,6 @@
 title: Qakbot Rundll32 Fake DLL Extension Execution
 id: bfd34392-c591-4009-b938-9fd985a28b85
-status: experimental
+status: test
 description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
 references:
     - https://github.com/pr0xylife/Qakbot/

rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml

@@ -1,6 +1,6 @@
 title: SNAKE Malware Kernel Driver File Indicator
 id: d6d9d23f-69c1-41b5-8305-fa8250bd027f
-status: experimental
+status: test
 description: Detects SNAKE malware kernel driver file indicator
 references:
     - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF

rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml

@@ -1,6 +1,6 @@
 title: SNAKE Malware Installer Name Indicators
 id: 99eccc2b-7182-442f-8806-b76cc36d866b
-status: experimental
+status: test
 description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report
 references:
     - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF

rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml

@@ -1,6 +1,6 @@
 title: SNAKE Malware WerFault Persistence File Creation
 id: 64827580-e4c3-4c64-97eb-c72325d45399
-status: experimental
+status: test
 description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
 references:
     - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF

rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml

@@ -1,6 +1,6 @@
 title: SNAKE Malware Covert Store Registry Key
 id: d0fa35db-0e92-400e-aa16-d32ae2521618
-status: experimental
+status: test
 description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
 references:
     - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF

rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml

@@ -1,6 +1,6 @@
 title: SNAKE Malware Service Persistence
 id: b2e60816-96b2-45bd-ba91-b63578c03ef6
-status: experimental
+status: test
 description: Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
 references:
     - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF

rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml

@@ -15,7 +15,7 @@ related:
       type: similar
     - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
       type: similar
-status: experimental
+status: test
 description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
 references:
     - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/

rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml

@@ -3,7 +3,7 @@ id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7
 related:
     - id: aa03c712-75c6-438b-8d42-de88f2427e09 # Proxy C2
       type: similar
-status: experimental
+status: test
 description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
 references:
     - https://securelist.com/operation-triangulation/109842/

rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml

@@ -3,7 +3,7 @@ id: aa03c712-75c6-438b-8d42-de88f2427e09
 related:
     - id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 # DNS C2
       type: similar
-status: experimental
+status: test
 description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
 references:
     - https://securelist.com/operation-triangulation/109842/

rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml

@@ -1,6 +1,6 @@
 title: Potential APT Mustang Panda Activity Against Australian Gov
 id: 7806bb49-f653-48d3-a915-5115c1a85234
-status: experimental
+status: test
 description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
 references:
     - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/

rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml

@@ -1,6 +1,6 @@
 title: Microsoft Excel Add-In Loaded
 id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
-status: experimental
+status: test
 description: Detects Microsoft Excel loading an Add-In (.xll) file
 references:
     - https://www.mandiant.com/resources/blog/lnk-between-browsers

rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml

@@ -1,6 +1,6 @@
 title: Potential Password Reconnaissance Via Findstr.EXE
 id: 1a0f6f16-2099-4753-9a02-43b6ac7a1fa5
-status: experimental
+status: test
 description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
 references:
     - https://steflan-security.com/windows-privilege-escalation-credential-harvesting/

rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml

@@ -1,6 +1,6 @@
 title: AWS IAM S3Browser LoginProfile Creation
 id: db014773-b1d3-46bd-ba26-133337c0ffee
-status: experimental
+status: test
 description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
 references:
     - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor

rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml

@@ -1,6 +1,6 @@
 title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
 id: db014773-7375-4f4e-b83b-133337c0ffee
-status: experimental
+status: test
 description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
 references:
     - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor

rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml

@@ -1,6 +1,6 @@
 title: AWS IAM S3Browser User or AccessKey Creation
 id: db014773-d9d9-4792-91e5-133337c0ffee
-status: experimental
+status: test
 description: Detects S3 Browser utility creating IAM User or AccessKey.
 references:
     - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor

rules/cloud/okta/okta_fastpass_phishing_detection.yml

@@ -1,6 +1,6 @@
 title: Okta FastPass Phishing Detection
 id: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e
-status: experimental
+status: test
 description: Detects when Okta FastPass prevents a known phishing site.
 references:
     - https://sec.okta.com/fastpassphishingdetection

rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml

@@ -1,6 +1,6 @@
 title: Potentially Suspicious Shell Script Creation in Profile Folder
 id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
-status: experimental
+status: test
 description: Detects the creation of shell scripts under the "profile.d" path.
 references:
     - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml

@@ -1,6 +1,6 @@
 title: Wget Creating Files in Tmp Directory
 id: 35a05c60-9012-49b6-a11f-6bab741c9f74
-status: experimental
+status: test
 description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
 references:
     - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml

@@ -1,6 +1,6 @@
 title: Crontab Enumeration
 id: 403ed92c-b7ec-4edd-9947-5b535ee12d46
-status: experimental
+status: test
 description: Detects usage of crontab to list the tasks of the user
 references:
     - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml

@@ -1,6 +1,6 @@
 title: OS Architecture Discovery Via Grep
 id: d27ab432-2199-483f-a297-03633c05bae6
-status: experimental
+status: test
 description: |
     Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
 references:

rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml

@@ -1,6 +1,6 @@
 title: Potential GobRAT File Discovery Via Grep
 id: e34cfa0c-0a50-4210-9cb3-5632d08eb041
-status: experimental
+status: test
 description: Detects the use of grep to discover specific files created by the GobRAT malware
 references:
     - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml

@@ -3,7 +3,7 @@ id: 457df417-8b9d-4912-85f3-9dbda39c3645
 related:
     - id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
       type: derived
-status: experimental
+status: test
 description: Detects execution of binaries located in potentially suspicious locations via "nohup"
 references:
     - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml

@@ -1,6 +1,6 @@
 title: Potentially Suspicious Execution From Tmp Folder
 id: 312b42b1-bded-4441-8b58-163a3af58775
-status: experimental
+status: test
 description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
 references:
     - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml

@@ -1,6 +1,6 @@
 title: Potential Suspicious Change To Sensitive/Critical Files
 id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
-status: experimental
+status: test
 description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
 references:
     - https://docs.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor

rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml

@@ -1,6 +1,6 @@
 title: Shell Execution Of Process Located In Tmp Directory
 id: 2fade0b6-7423-4835-9d4f-335b39b83867
-status: experimental
+status: test
 description: Detects execution of shells from a parent process located in a temporary (/tmp) directory
 references:
     - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml

@@ -1,6 +1,6 @@
 title: Execution Of Script Located In Potentially Suspicious Directory
 id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7
-status: experimental
+status: test
 description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
 references:
     - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml

@@ -1,6 +1,6 @@
 title: Download File To Potentially Suspicious Directory Via Wget
 id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4
-status: experimental
+status: test
 description: Detects the use of wget to download content to a suspicious directory
 references:
     - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml

@@ -1,6 +1,6 @@
 title: Bitsadmin to Uncommon TLD
 id: 9eb68894-7476-4cd6-8752-23b51f5883a7
-status: experimental
+status: test
 description: Detects Bitsadmin connections to domains with uncommon TLDs
 references:
     - https://twitter.com/jhencinski/status/1102695118455349248

rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml

@@ -1,6 +1,6 @@
 title: Certificate Private Key Acquired
 id: e2b5163d-7deb-4566-9af3-40afea6858c3
-status: experimental
+status: test
 description: Detects when an application acquires a certificate private key
 references:
     - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html

rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml

@@ -1,6 +1,6 @@
 title: Certificate Exported From Local Certificate Store
 id: 58c0bff0-40a0-46e8-b5e8-b734b84d2017
-status: experimental
+status: test
 description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
 references:
     - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html

rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml

@@ -1,6 +1,6 @@
 title: CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
 id: 5daf11c3-022b-4969-adb9-365e6c078c7c
-status: experimental
+status: test
 description: Detects block events for files that are disallowed by code integrity for protected processes
 references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations

rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml

@@ -1,6 +1,6 @@
 title: CodeIntegrity - Blocked Driver Load With Revoked Certificate
 id: 9b72b82d-f1c5-4632-b589-187159bc6ec1
-status: experimental
+status: test
 description: Detects blocked load attempts of revoked drivers
 references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations

rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml

@@ -1,6 +1,6 @@
 title: CodeIntegrity - Revoked Kernel Driver Loaded
 id: 320fccbf-5e32-4101-82b8-2679c5f007c6
-status: experimental
+status: test
 description: Detects the load of a revoked kernel driver
 references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations

rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml

@@ -1,6 +1,6 @@
 title: CodeIntegrity - Blocked Image Load With Revoked Certificate
 id: 6f156c48-3894-4952-baf0-16193e9067d2
-status: experimental
+status: test
 description: Detects blocked image load events with revoked certificates by code integrity.
 references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations

rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml

@@ -1,6 +1,6 @@
 title: CodeIntegrity - Revoked Image Loaded
 id: 881b7725-47cc-4055-8000-425823344c59
-status: experimental
+status: test
 description: Detects image load events with revoked certificates by code integrity.
 references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations