From 790b4d060443bcddd9250f0b04c76eb4c8ad32f7 Mon Sep 17 00:00:00 2001 From: brokensound77 Date: Tue, 23 Aug 2022 23:42:39 -0600 Subject: [PATCH 1/2] min_stack all rules to 8.3 --- rules/apm/apm_403_response_to_a_post.toml | 2 ++ rules/apm/apm_405_response_method_not_allowed.toml | 2 ++ rules/apm/apm_null_user_agent.toml | 2 ++ rules/apm/apm_sqlmap_user_agent.toml | 2 ++ ...credential_access_cookies_chromium_browsers_debugging.toml | 2 ++ .../defense_evasion_agent_spoofing_mismatched_id.toml | 4 ++-- .../defense_evasion_agent_spoofing_multiple_hosts.toml | 4 ++-- .../defense_evasion_deleting_websvr_access_logs.toml | 2 ++ ...defense_evasion_deletion_of_bash_command_line_history.toml | 2 ++ .../defense_evasion_elastic_agent_service_terminated.toml | 2 ++ rules/cross-platform/defense_evasion_timestomp_touch.toml | 2 ++ rules/cross-platform/discovery_security_software_grep.toml | 2 ++ .../discovery_virtual_machine_fingerprinting_grep.toml | 2 ++ .../execution_pentest_eggshell_remote_admin_tool.toml | 2 ++ rules/cross-platform/execution_revershell_via_shell_cmd.toml | 2 ++ .../execution_suspicious_jar_child_process.toml | 2 ++ .../execution_suspicious_java_netcon_childproc.toml | 2 ++ rules/cross-platform/impact_hosts_file_modified.toml | 4 ++-- .../initial_access_zoom_meeting_with_no_passcode.toml | 2 ++ ...stence_credential_access_modify_auth_module_or_config.toml | 2 ++ .../persistence_shell_profile_modification.toml | 2 ++ .../persistence_ssh_authorized_keys_modification.toml | 2 ++ .../privilege_escalation_echo_nopasswd_sudoers.toml | 2 ++ .../privilege_escalation_setuid_setgid_bit_set_via_chmod.toml | 2 ++ .../privilege_escalation_sudo_buffer_overflow.toml | 2 ++ .../cross-platform/privilege_escalation_sudoers_file_mod.toml | 2 ++ rules/cross-platform/threat_intel_filebeat8x.toml | 4 ++-- rules/cross-platform/threat_intel_fleet_integrations.toml | 4 ++-- .../aws/collection_cloudtrail_logging_created.toml | 2 ++ .../credential_access_aws_iam_assume_role_brute_force.toml | 2 ++ .../aws/credential_access_iam_user_addition_to_group.toml | 2 ++ .../credential_access_root_console_failure_brute_force.toml | 2 ++ .../aws/credential_access_secretsmanager_getsecretvalue.toml | 2 ++ .../aws/defense_evasion_cloudtrail_logging_deleted.toml | 2 ++ .../aws/defense_evasion_cloudtrail_logging_suspended.toml | 2 ++ .../aws/defense_evasion_cloudwatch_alarm_deletion.toml | 2 ++ .../aws/defense_evasion_config_service_rule_deletion.toml | 2 ++ .../aws/defense_evasion_configuration_recorder_stopped.toml | 2 ++ .../aws/defense_evasion_ec2_flow_log_deletion.toml | 2 ++ .../aws/defense_evasion_ec2_network_acl_deletion.toml | 2 ++ .../defense_evasion_elasticache_security_group_creation.toml | 2 ++ ...vasion_elasticache_security_group_modified_or_deleted.toml | 2 ++ .../aws/defense_evasion_guardduty_detector_deletion.toml | 2 ++ .../aws/defense_evasion_s3_bucket_configuration_deletion.toml | 2 ++ rules/integrations/aws/defense_evasion_waf_acl_deletion.toml | 2 ++ .../aws/defense_evasion_waf_rule_or_rule_group_deletion.toml | 2 ++ ...exfiltration_ec2_full_network_packet_capture_detected.toml | 2 ++ .../aws/exfiltration_ec2_snapshot_change_activity.toml | 2 ++ .../integrations/aws/exfiltration_ec2_vm_export_failure.toml | 2 ++ rules/integrations/aws/exfiltration_rds_snapshot_export.toml | 2 ++ .../integrations/aws/exfiltration_rds_snapshot_restored.toml | 2 ++ .../aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml | 2 ++ rules/integrations/aws/impact_cloudtrail_logging_updated.toml | 2 ++ .../aws/impact_cloudwatch_log_group_deletion.toml | 2 ++ .../aws/impact_cloudwatch_log_stream_deletion.toml | 2 ++ rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml | 2 ++ .../aws/impact_efs_filesystem_or_mount_deleted.toml | 2 ++ rules/integrations/aws/impact_iam_deactivate_mfa_device.toml | 2 ++ rules/integrations/aws/impact_iam_group_deletion.toml | 2 ++ rules/integrations/aws/impact_rds_group_deletion.toml | 2 ++ .../aws/impact_rds_instance_cluster_deletion.toml | 2 ++ .../aws/impact_rds_instance_cluster_stoppage.toml | 2 ++ rules/integrations/aws/initial_access_console_login_root.toml | 2 ++ rules/integrations/aws/initial_access_password_recovery.toml | 2 ++ rules/integrations/aws/initial_access_via_system_manager.toml | 2 ++ rules/integrations/aws/ml_cloudtrail_error_message_spike.toml | 2 ++ rules/integrations/aws/ml_cloudtrail_rare_error_code.toml | 2 ++ rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml | 2 ++ .../aws/ml_cloudtrail_rare_method_by_country.toml | 2 ++ rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml | 2 ++ .../aws/persistence_ec2_network_acl_creation.toml | 2 ++ ...nce_ec2_security_group_configuration_change_detection.toml | 2 ++ rules/integrations/aws/persistence_iam_group_creation.toml | 2 ++ rules/integrations/aws/persistence_rds_cluster_creation.toml | 2 ++ rules/integrations/aws/persistence_rds_group_creation.toml | 2 ++ rules/integrations/aws/persistence_rds_instance_creation.toml | 2 ++ .../aws/persistence_redshift_instance_creation.toml | 2 ++ .../persistence_route_53_domain_transfer_lock_disabled.toml | 2 ++ ...stence_route_53_domain_transferred_to_another_account.toml | 2 ++ ...ersistence_route_53_hosted_zone_associated_with_a_vpc.toml | 2 ++ rules/integrations/aws/persistence_route_table_created.toml | 2 ++ .../aws/persistence_route_table_modified_or_deleted.toml | 2 ++ .../privilege_escalation_aws_suspicious_saml_activity.toml | 2 ++ .../aws/privilege_escalation_root_login_without_mfa.toml | 2 ++ .../aws/privilege_escalation_sts_assumerole_usage.toml | 2 ++ .../aws/privilege_escalation_sts_getsessiontoken_abuse.toml | 2 ++ .../aws/privilege_escalation_updateassumerolepolicy.toml | 2 ++ .../azure/collection_update_event_hub_auth_rule.toml | 2 ++ ...ial_access_azure_full_network_packet_capture_detected.toml | 2 ++ .../azure/credential_access_key_vault_modified.toml | 2 ++ .../credential_access_storage_account_key_regenerated.toml | 2 ++ ...nse_evasion_azure_application_credential_modification.toml | 2 ++ .../defense_evasion_azure_automation_runbook_deleted.toml | 2 ++ .../defense_evasion_azure_blob_permissions_modified.toml | 2 ++ .../defense_evasion_azure_diagnostic_settings_deletion.toml | 2 ++ .../defense_evasion_azure_service_principal_addition.toml | 2 ++ .../azure/defense_evasion_event_hub_deletion.toml | 2 ++ .../azure/defense_evasion_firewall_policy_deletion.toml | 2 ++ .../defense_evasion_frontdoor_firewall_policy_deletion.toml | 2 ++ .../azure/defense_evasion_kubernetes_events_deleted.toml | 2 ++ .../azure/defense_evasion_network_watcher_deletion.toml | 2 ++ .../azure/defense_evasion_suppression_rule_created.toml | 2 ++ .../azure/discovery_blob_container_access_mod.toml | 2 ++ .../integrations/azure/execution_command_virtual_machine.toml | 2 ++ .../impact_azure_service_principal_credentials_added.toml | 2 ++ rules/integrations/azure/impact_kubernetes_pod_deleted.toml | 2 ++ rules/integrations/azure/impact_resource_group_deletion.toml | 2 ++ .../azure/impact_virtual_network_device_modified.toml | 2 ++ ...nitial_access_azure_active_directory_high_risk_signin.toml | 2 ++ ...active_directory_high_risk_signin_atrisk_or_confirmed.toml | 2 ++ ...itial_access_azure_active_directory_powershell_signin.toml | 2 ++ ...consent_grant_attack_via_azure_registered_application.toml | 2 ++ .../azure/initial_access_external_guest_user_invite.toml | 2 ++ .../azure/persistence_azure_automation_account_created.toml | 2 ++ ...sistence_azure_automation_runbook_created_or_modified.toml | 2 ++ .../azure/persistence_azure_automation_webhook_created.toml | 2 ++ .../persistence_azure_conditional_access_policy_modified.toml | 2 ++ .../persistence_azure_global_administrator_role_assigned.toml | 2 ++ .../azure/persistence_azure_pim_user_added_global_admin.toml | 2 ++ ...ce_azure_privileged_identity_management_role_modified.toml | 2 ++ .../azure/persistence_mfa_disabled_for_azure_user.toml | 2 ++ ...persistence_user_added_as_owner_for_azure_application.toml | 2 ++ ...tence_user_added_as_owner_for_azure_service_principal.toml | 2 ++ ...ilege_escalation_azure_kubernetes_rolebinding_created.toml | 2 ++ ...ge_escalation_cyberarkpas_error_audit_event_promotion.toml | 4 ++-- ...n_cyberarkpas_recommended_events_to_monitor_promotion.toml | 4 ++-- rules/integrations/endpoint/elastic_endpoint_security.toml | 2 ++ .../gcp/collection_gcp_pub_sub_subscription_creation.toml | 2 ++ .../gcp/collection_gcp_pub_sub_topic_creation.toml | 2 ++ .../gcp/defense_evasion_gcp_firewall_rule_created.toml | 2 ++ .../gcp/defense_evasion_gcp_firewall_rule_deleted.toml | 2 ++ .../gcp/defense_evasion_gcp_firewall_rule_modified.toml | 2 ++ .../gcp/defense_evasion_gcp_logging_bucket_deletion.toml | 2 ++ .../gcp/defense_evasion_gcp_logging_sink_deletion.toml | 2 ++ .../defense_evasion_gcp_pub_sub_subscription_deletion.toml | 2 ++ .../gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml | 2 ++ ...nse_evasion_gcp_storage_bucket_configuration_modified.toml | 2 ++ ...fense_evasion_gcp_storage_bucket_permissions_modified.toml | 2 ++ ...nse_evasion_gcp_virtual_private_cloud_network_deleted.toml | 2 ++ ...fense_evasion_gcp_virtual_private_cloud_route_created.toml | 2 ++ ...fense_evasion_gcp_virtual_private_cloud_route_deleted.toml | 2 ++ .../gcp/exfiltration_gcp_logging_sink_modification.toml | 2 ++ rules/integrations/gcp/impact_gcp_iam_role_deletion.toml | 2 ++ .../integrations/gcp/impact_gcp_service_account_deleted.toml | 2 ++ .../integrations/gcp/impact_gcp_service_account_disabled.toml | 2 ++ rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml | 2 ++ .../gcp/initial_access_gcp_iam_custom_role_creation.toml | 2 ++ .../gcp/persistence_gcp_iam_service_account_key_deletion.toml | 2 ++ .../gcp/persistence_gcp_key_created_for_service_account.toml | 2 ++ .../gcp/persistence_gcp_service_account_created.toml | 2 ++ ...lation_gcp_kubernetes_rolebindings_created_or_patched.toml | 2 ++ ...sion_domain_added_to_google_workspace_trusted_domains.toml | 4 ++-- .../impact_google_workspace_admin_role_deletion.toml | 4 ++-- .../impact_google_workspace_mfa_enforcement_disabled.toml | 4 ++-- ...sistence_application_added_to_google_workspace_domain.toml | 4 ++-- ...sistence_google_workspace_admin_role_assigned_to_user.toml | 4 ++-- ...ccess_granted_via_domain_wide_delegation_of_authority.toml | 4 ++-- ...ersistence_google_workspace_custom_admin_role_created.toml | 4 ++-- .../persistence_google_workspace_policy_modified.toml | 4 ++-- .../persistence_google_workspace_role_modified.toml | 4 ++-- ...stence_mfa_disabled_for_google_workspace_organization.toml | 4 ++-- .../kubernetes/discovery_suspicious_self_subject_review.toml | 4 ++-- rules/integrations/kubernetes/execution_user_exec_to_pod.toml | 4 ++-- ...ersistence_exposed_service_created_with_type_nodeport.toml | 4 ++-- .../privilege_escalation_pod_created_with_hostipc.toml | 4 ++-- .../privilege_escalation_pod_created_with_hostnetwork.toml | 4 ++-- .../privilege_escalation_pod_created_with_hostpid.toml | 4 ++-- ..._escalation_pod_created_with_sensitive_hospath_volume.toml | 4 ++-- .../privilege_escalation_privileged_pod_created.toml | 4 ++-- .../o365/collection_microsoft_365_new_inbox_rule.toml | 2 ++ ...access_microsoft_365_brute_force_user_account_attempt.toml | 2 ++ ...cess_microsoft_365_potential_password_spraying_attack.toml | 2 ++ .../credential_access_user_excessive_sso_logon_errors.toml | 2 ++ ...nse_evasion_microsoft_365_exchange_dlp_policy_removed.toml | 2 ++ ...microsoft_365_exchange_malware_filter_policy_deletion.toml | 2 ++ ...vasion_microsoft_365_exchange_malware_filter_rule_mod.toml | 2 ++ ...sion_microsoft_365_exchange_safe_attach_rule_disabled.toml | 2 ++ ...e_evasion_microsoft_365_mailboxauditbypassassociation.toml | 2 ++ ...ration_microsoft_365_exchange_transport_rule_creation.toml | 2 ++ ...xfiltration_microsoft_365_exchange_transport_rule_mod.toml | 2 ++ .../impact_microsoft_365_potential_ransomware_activity.toml | 2 ++ .../impact_microsoft_365_unusual_volume_of_file_deletion.toml | 2 ++ ...ess_microsoft_365_exchange_anti_phish_policy_deletion.toml | 2 ++ ...ial_access_microsoft_365_exchange_anti_phish_rule_mod.toml | 2 ++ ...tial_access_microsoft_365_exchange_safelinks_disabled.toml | 2 ++ ...cess_microsoft_365_user_restricted_from_sending_email.toml | 2 ++ .../o365/initial_access_o365_user_reported_phish_malware.toml | 2 ++ .../o365/lateral_movement_malware_uploaded_onedrive.toml | 2 ++ .../o365/lateral_movement_malware_uploaded_sharepoint.toml | 2 ++ ...sistence_exchange_suspicious_mailbox_right_delegation.toml | 2 ++ ...e_microsoft_365_exchange_dkim_signing_config_disabled.toml | 2 ++ ...nce_microsoft_365_exchange_management_role_assignment.toml | 2 ++ ...stence_microsoft_365_global_administrator_role_assign.toml | 2 ++ ...ce_microsoft_365_teams_custom_app_interaction_allowed.toml | 2 ++ ...rsistence_microsoft_365_teams_external_access_enabled.toml | 2 ++ .../persistence_microsoft_365_teams_guest_access_enabled.toml | 2 ++ ...rivilege_escalation_new_or_modified_federation_domain.toml | 2 ++ .../okta/credential_access_attempted_bypass_of_okta_mfa.toml | 2 ++ ...tial_access_attempts_to_brute_force_okta_user_account.toml | 2 ++ .../okta/credential_access_mfa_push_brute_force.toml | 2 ++ ...edential_access_okta_brute_force_or_password_spraying.toml | 2 ++ .../okta/credential_access_user_impersonation_access.toml | 2 ++ ...fense_evasion_attempt_to_deactivate_okta_network_zone.toml | 2 ++ .../defense_evasion_attempt_to_delete_okta_network_zone.toml | 2 ++ ...efense_evasion_okta_attempt_to_deactivate_okta_policy.toml | 2 ++ ...e_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml | 2 ++ .../defense_evasion_okta_attempt_to_delete_okta_policy.toml | 2 ++ ...fense_evasion_okta_attempt_to_delete_okta_policy_rule.toml | 2 ++ ...ense_evasion_okta_attempt_to_modify_okta_network_zone.toml | 2 ++ .../defense_evasion_okta_attempt_to_modify_okta_policy.toml | 2 ++ ...fense_evasion_okta_attempt_to_modify_okta_policy_rule.toml | 2 ++ ...uspicious_okta_user_password_reset_or_unlock_attempts.toml | 2 ++ .../okta/impact_attempt_to_revoke_okta_api_token.toml | 2 ++ .../impact_okta_attempt_to_deactivate_okta_application.toml | 2 ++ .../okta/impact_okta_attempt_to_delete_okta_application.toml | 2 ++ .../okta/impact_okta_attempt_to_modify_okta_application.toml | 2 ++ rules/integrations/okta/impact_possible_okta_dos_attack.toml | 2 ++ ...nitial_access_okta_user_attempted_unauthorized_access.toml | 2 ++ ...tial_access_suspicious_activity_reported_by_okta_user.toml | 2 ++ .../okta/okta_threat_detected_by_okta_threatinsight.toml | 2 ++ ...tence_administrator_privileges_assigned_to_okta_group.toml | 2 ++ .../persistence_administrator_role_assigned_to_okta_user.toml | 2 ++ .../okta/persistence_attempt_to_create_okta_api_token.toml | 2 ++ ...tence_attempt_to_deactivate_mfa_for_okta_user_account.toml | 2 ++ ...ce_attempt_to_reset_mfa_factors_for_okta_user_account.toml | 2 ++ ...ttempt_to_modify_or_delete_application_sign_on_policy.toml | 2 ++ ...nd_control_connection_attempt_by_non_ssh_root_session.toml | 2 ++ rules/linux/command_and_control_linux_iodine_activity.toml | 2 ++ rules/linux/command_and_control_tunneling_via_earthworm.toml | 2 ++ rules/linux/credential_access_collection_sensitive_files.toml | 2 ++ rules/linux/credential_access_ssh_backdoor_log.toml | 2 ++ .../defense_evasion_attempt_to_disable_syslog_service.toml | 2 ++ ...vasion_base16_or_base32_encoding_or_decoding_activity.toml | 2 ++ rules/linux/defense_evasion_chattr_immutable_file.toml | 2 ++ rules/linux/defense_evasion_disable_selinux_attempt.toml | 2 ++ rules/linux/defense_evasion_file_deletion_via_shred.toml | 2 ++ rules/linux/defense_evasion_file_mod_writable_dir.toml | 2 ++ rules/linux/defense_evasion_hidden_file_dir_tmp.toml | 4 ++-- rules/linux/defense_evasion_hidden_shared_object.toml | 2 ++ rules/linux/defense_evasion_kernel_module_removal.toml | 2 ++ rules/linux/defense_evasion_log_files_deleted.toml | 2 ++ rules/linux/discovery_kernel_module_enumeration.toml | 2 ++ rules/linux/discovery_linux_hping_activity.toml | 2 ++ rules/linux/discovery_linux_nping_activity.toml | 2 ++ rules/linux/discovery_virtual_machine_fingerprinting.toml | 2 ++ rules/linux/execution_abnormal_process_id_file_created.toml | 2 ++ rules/linux/execution_linux_netcat_network_connection.toml | 2 ++ rules/linux/execution_perl_tty_shell.toml | 2 ++ .../linux/execution_process_started_from_process_id_file.toml | 2 ++ .../execution_process_started_in_shared_memory_directory.toml | 2 ++ rules/linux/execution_python_tty_shell.toml | 4 ++-- rules/linux/execution_shell_evasion_linux_binary.toml | 2 ++ rules/linux/execution_tc_bpf_filter.toml | 2 ++ rules/linux/impact_process_kill_threshold.toml | 2 ++ .../lateral_movement_telnet_network_activity_external.toml | 2 ++ .../lateral_movement_telnet_network_activity_internal.toml | 2 ++ rules/linux/persistence_chkconfig_service_add.toml | 2 ++ .../persistence_credential_access_modify_ssh_binaries.toml | 2 ++ rules/linux/persistence_dynamic_linker_backup.toml | 2 ++ rules/linux/persistence_etc_file_creation.toml | 2 ++ rules/linux/persistence_insmod_kernel_module_load.toml | 2 ++ rules/linux/persistence_kde_autostart_modification.toml | 2 ++ rules/linux/persistence_shell_activity_by_web_server.toml | 2 ++ .../privilege_escalation_ld_preload_shared_object_modif.toml | 2 ++ rules/linux/privilege_escalation_pkexec_envar_hijack.toml | 2 ++ ...dential_access_access_to_browser_credentials_procargs.toml | 2 ++ rules/macos/credential_access_credentials_keychains.toml | 2 ++ rules/macos/credential_access_dumping_hashes_bi_cmds.toml | 2 ++ rules/macos/credential_access_dumping_keychain_security.toml | 2 ++ rules/macos/credential_access_kerberosdump_kcc.toml | 2 ++ ...credential_access_keychain_pwd_retrieval_security_cmd.toml | 2 ++ rules/macos/credential_access_mitm_localhost_webproxy.toml | 2 ++ rules/macos/credential_access_potential_ssh_bruteforce.toml | 2 ++ .../macos/credential_access_promt_for_pwd_via_osascript.toml | 2 ++ rules/macos/credential_access_systemkey_dumping.toml | 2 ++ .../macos/defense_evasion_apple_softupdates_modification.toml | 2 ++ .../macos/defense_evasion_attempt_del_quarantine_attrib.toml | 2 ++ .../macos/defense_evasion_attempt_to_disable_gatekeeper.toml | 2 ++ rules/macos/defense_evasion_install_root_certificate.toml | 2 ++ rules/macos/defense_evasion_modify_environment_launchctl.toml | 2 ++ ...se_evasion_privacy_controls_tcc_database_modification.toml | 2 ++ ...privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml | 2 ++ rules/macos/defense_evasion_safari_config_change.toml | 2 ++ ...ense_evasion_sandboxed_office_app_suspicious_zip_file.toml | 2 ++ .../macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml | 2 ++ rules/macos/defense_evasion_unload_endpointsecurity_kext.toml | 2 ++ rules/macos/discovery_users_domain_built_in_commands.toml | 2 ++ ...cution_defense_evasion_electron_app_childproc_node_js.toml | 2 ++ ...execution_initial_access_suspicious_browser_childproc.toml | 2 ++ .../execution_installer_package_spawned_network_event.toml | 2 ++ rules/macos/execution_script_via_automator_workflows.toml | 2 ++ ...execution_scripting_osascript_exec_followed_by_netcon.toml | 2 ++ .../macos/execution_shell_execution_via_apple_scripting.toml | 2 ++ ...initial_access_suspicious_mac_ms_office_child_process.toml | 2 ++ ...al_movement_credential_access_kerberos_bifrostconsole.toml | 2 ++ rules/macos/lateral_movement_mounting_smb_share.toml | 2 ++ rules/macos/lateral_movement_remote_ssh_login_enabled.toml | 2 ++ rules/macos/lateral_movement_vpn_connection_attempt.toml | 2 ++ rules/macos/persistence_account_creation_hide_at_logon.toml | 2 ++ .../macos/persistence_creation_change_launch_agents_file.toml | 2 ++ .../persistence_creation_hidden_login_item_osascript.toml | 2 ++ .../persistence_creation_modif_launch_deamon_sequence.toml | 2 ++ ...tence_credential_access_authorization_plugin_creation.toml | 2 ++ rules/macos/persistence_crontab_creation.toml | 2 ++ ..._evasion_hidden_launch_agent_deamon_logonitem_process.toml | 2 ++ .../persistence_directory_services_plugins_modification.toml | 2 ++ .../persistence_docker_shortcuts_plist_modification.toml | 2 ++ rules/macos/persistence_emond_rules_file_creation.toml | 2 ++ rules/macos/persistence_emond_rules_process_execution.toml | 2 ++ rules/macos/persistence_enable_root_account.toml | 2 ++ ...rsistence_evasion_hidden_launch_agent_deamon_creation.toml | 2 ++ rules/macos/persistence_finder_sync_plugin_pluginkit.toml | 3 +++ rules/macos/persistence_folder_action_scripts_runtime.toml | 2 ++ rules/macos/persistence_login_logout_hooks_defaults.toml | 2 ++ rules/macos/persistence_loginwindow_plist_modification.toml | 2 ++ ...persistence_modification_sublime_app_plugin_or_script.toml | 2 ++ rules/macos/persistence_periodic_tasks_file_mdofiy.toml | 2 ++ ...rsistence_screensaver_engine_unexpected_child_process.toml | 2 ++ .../persistence_screensaver_plist_file_modification.toml | 2 ++ rules/macos/persistence_suspicious_calendar_modification.toml | 2 ++ rules/macos/persistence_via_atom_init_file_modification.toml | 2 ++ .../privilege_escalation_applescript_with_admin_privs.toml | 2 ++ .../privilege_escalation_explicit_creds_via_scripting.toml | 2 ++ .../privilege_escalation_exploit_adobe_acrobat_updater.toml | 2 ++ .../macos/privilege_escalation_local_user_added_to_admin.toml | 2 ++ rules/macos/privilege_escalation_root_crontab_filemod.toml | 2 ++ rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml | 2 ++ .../command_and_control_ml_packetbeat_rare_dns_question.toml | 2 ++ rules/ml/command_and_control_ml_packetbeat_rare_urls.toml | 2 ++ .../ml/command_and_control_ml_packetbeat_rare_user_agent.toml | 2 ++ ...redential_access_ml_auth_spike_in_failed_logon_events.toml | 4 ++-- rules/ml/credential_access_ml_auth_spike_in_logon_events.toml | 4 ++-- ...access_ml_auth_spike_in_logon_events_from_a_source_ip.toml | 4 ++-- ...credential_access_ml_linux_anomalous_metadata_process.toml | 2 +- .../credential_access_ml_linux_anomalous_metadata_user.toml | 2 +- rules/ml/credential_access_ml_suspicious_login_activity.toml | 2 +- ...edential_access_ml_windows_anomalous_metadata_process.toml | 2 +- .../credential_access_ml_windows_anomalous_metadata_user.toml | 2 +- rules/ml/discovery_ml_linux_system_information_discovery.toml | 2 +- ...overy_ml_linux_system_network_configuration_discovery.toml | 2 +- ...iscovery_ml_linux_system_network_connection_discovery.toml | 2 +- rules/ml/discovery_ml_linux_system_process_discovery.toml | 2 +- rules/ml/discovery_ml_linux_system_user_discovery.toml | 2 +- rules/ml/execution_ml_windows_anomalous_script.toml | 2 +- .../initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml | 4 ++-- .../ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml | 4 ++-- rules/ml/initial_access_ml_auth_rare_user_logon.toml | 4 ++-- rules/ml/initial_access_ml_linux_anomalous_user_name.toml | 2 +- rules/ml/initial_access_ml_windows_anomalous_user_name.toml | 2 +- ...itial_access_ml_windows_rare_user_type10_remote_login.toml | 2 +- rules/ml/ml_high_count_network_denies.toml | 2 ++ rules/ml/ml_high_count_network_events.toml | 2 ++ rules/ml/ml_linux_anomalous_network_activity.toml | 2 +- rules/ml/ml_linux_anomalous_network_port_activity.toml | 2 +- rules/ml/ml_packetbeat_rare_server_domain.toml | 2 ++ rules/ml/ml_rare_destination_country.toml | 2 ++ rules/ml/ml_spike_in_traffic_to_a_country.toml | 2 ++ rules/ml/ml_windows_anomalous_network_activity.toml | 2 +- .../ml/persistence_ml_linux_anomalous_process_all_hosts.toml | 2 +- rules/ml/persistence_ml_rare_process_by_host_linux.toml | 2 +- rules/ml/persistence_ml_rare_process_by_host_windows.toml | 2 +- rules/ml/persistence_ml_windows_anomalous_path_activity.toml | 2 +- .../persistence_ml_windows_anomalous_process_all_hosts.toml | 2 +- .../ml/persistence_ml_windows_anomalous_process_creation.toml | 2 +- rules/ml/persistence_ml_windows_anomalous_service.toml | 2 +- ...privilege_escalation_ml_linux_anomalous_sudo_activity.toml | 2 +- ...privilege_escalation_ml_windows_rare_user_runas_event.toml | 2 +- ...urce_development_ml_linux_anomalous_compiler_activity.toml | 2 +- rules/network/command_and_control_cobalt_strike_beacon.toml | 2 ++ ...and_and_control_cobalt_strike_default_teamserver_cert.toml | 2 ++ ...and_and_control_download_rar_powershell_from_internet.toml | 2 ++ rules/network/command_and_control_fin7_c2_behavior.toml | 2 ++ rules/network/command_and_control_halfbaked_beacon.toml | 2 ++ .../command_and_control_nat_traversal_port_activity.toml | 2 ++ rules/network/command_and_control_port_26_activity.toml | 2 ++ ...control_rdp_remote_desktop_protocol_from_the_internet.toml | 4 ++-- rules/network/command_and_control_telnet_port_activity.toml | 4 ++-- ...ntrol_vnc_virtual_network_computing_from_the_internet.toml | 2 ++ ...control_vnc_virtual_network_computing_to_the_internet.toml | 2 ++ ...al_access_rpc_remote_procedure_call_from_the_internet.toml | 2 ++ ...tial_access_rpc_remote_procedure_call_to_the_internet.toml | 2 ++ ...ess_smb_windows_file_sharing_activity_to_the_internet.toml | 2 ++ rules/network/initial_access_unsecure_elasticsearch_node.toml | 2 ++ .../credential_access_endgame_cred_dumping_detected.toml | 2 ++ .../credential_access_endgame_cred_dumping_prevented.toml | 2 ++ rules/promotions/endgame_adversary_behavior_detected.toml | 2 ++ rules/promotions/endgame_malware_detected.toml | 2 ++ rules/promotions/endgame_malware_prevented.toml | 2 ++ rules/promotions/endgame_ransomware_detected.toml | 2 ++ rules/promotions/endgame_ransomware_prevented.toml | 2 ++ rules/promotions/execution_endgame_exploit_detected.toml | 2 ++ rules/promotions/execution_endgame_exploit_prevented.toml | 2 ++ rules/promotions/external_alerts.toml | 2 ++ ...ivilege_escalation_endgame_cred_manipulation_detected.toml | 2 ++ ...vilege_escalation_endgame_cred_manipulation_prevented.toml | 2 ++ ...rivilege_escalation_endgame_permission_theft_detected.toml | 2 ++ ...ivilege_escalation_endgame_permission_theft_prevented.toml | 2 ++ ...ivilege_escalation_endgame_process_injection_detected.toml | 2 ++ ...vilege_escalation_endgame_process_injection_prevented.toml | 2 ++ .../windows/collection_email_powershell_exchange_mailbox.toml | 2 ++ rules/windows/collection_posh_audio_capture.toml | 2 ++ rules/windows/collection_posh_keylogger.toml | 2 ++ rules/windows/collection_posh_screen_grabber.toml | 2 ++ rules/windows/collection_winrar_encryption.toml | 2 ++ .../command_and_control_certutil_network_connection.toml | 2 ++ rules/windows/command_and_control_common_webservices.toml | 2 ++ rules/windows/command_and_control_dns_tunneling_nslookup.toml | 2 ++ .../command_and_control_encrypted_channel_freesslcert.toml | 2 ++ rules/windows/command_and_control_iexplore_via_com.toml | 2 ++ .../command_and_control_port_forwarding_added_registry.toml | 2 ++ rules/windows/command_and_control_rdp_tunnel_plink.toml | 2 ++ ...ommand_and_control_remote_file_copy_desktopimgdownldr.toml | 2 ++ .../command_and_control_remote_file_copy_mpcmdrun.toml | 2 ++ .../command_and_control_remote_file_copy_powershell.toml | 2 ++ .../windows/command_and_control_remote_file_copy_scripts.toml | 2 ++ .../command_and_control_sunburst_c2_activity_detected.toml | 2 ++ .../command_and_control_teamviewer_remote_file_copy.toml | 2 ++ rules/windows/credential_access_cmdline_dump_tool.toml | 4 ++-- .../credential_access_copy_ntds_sam_volshadowcp_cmdline.toml | 2 ++ .../windows/credential_access_credential_dumping_msbuild.toml | 2 ++ .../windows/credential_access_dcsync_replication_rights.toml | 2 ++ rules/windows/credential_access_disable_kerberos_preauth.toml | 2 ++ .../credential_access_domain_backup_dpapi_private_keys.toml | 2 ++ rules/windows/credential_access_dump_registry_hives.toml | 2 ++ rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml | 2 ++ .../credential_access_iis_connectionstrings_dumping.toml | 2 ++ .../credential_access_kerberoasting_unusual_process.toml | 2 ++ .../credential_access_lsass_handle_via_malseclogon.toml | 2 ++ .../windows/credential_access_lsass_memdump_file_created.toml | 4 ++-- .../credential_access_lsass_memdump_handle_access.toml | 2 ++ .../credential_access_mimikatz_memssp_default_logs.toml | 2 ++ .../windows/credential_access_mimikatz_powershell_module.toml | 2 ++ .../credential_access_mod_wdigest_security_provider.toml | 2 ++ .../credential_access_moving_registry_hive_via_smb.toml | 4 ++-- ...ccess_persistence_network_logon_provider_modification.toml | 2 ++ rules/windows/credential_access_posh_minidump.toml | 2 ++ rules/windows/credential_access_posh_request_ticket.toml | 2 ++ ...redential_access_potential_lsa_memdump_via_mirrordump.toml | 2 ++ .../credential_access_relay_ntlm_auth_via_http_spoolss.toml | 3 +++ rules/windows/credential_access_remote_sam_secretsdump.toml | 4 ++-- rules/windows/credential_access_saved_creds_vaultcmd.toml | 2 ++ ...l_access_seenabledelegationprivilege_assigned_to_user.toml | 2 ++ rules/windows/credential_access_shadow_credentials.toml | 2 ++ rules/windows/credential_access_spn_attribute_modified.toml | 2 ++ .../credential_access_suspicious_comsvcs_imageload.toml | 2 ++ .../credential_access_suspicious_lsass_access_memdump.toml | 2 ++ ...redential_access_suspicious_lsass_access_via_snapshot.toml | 4 ++-- ...ial_access_suspicious_winreg_access_via_sebackup_priv.toml | 2 ++ ...redential_access_symbolic_link_to_shadow_copy_created.toml | 2 ++ .../credential_access_via_snapshot_lsass_clone_creation.toml | 2 ++ ...n_adding_the_hidden_file_attribute_with_via_attribexe.toml | 4 ++-- rules/windows/defense_evasion_amsienable_key_mod.toml | 2 ++ .../defense_evasion_clearing_windows_console_history.toml | 2 ++ .../windows/defense_evasion_clearing_windows_event_logs.toml | 2 ++ .../defense_evasion_clearing_windows_security_logs.toml | 2 ++ .../windows/defense_evasion_create_mod_root_certificate.toml | 2 ++ rules/windows/defense_evasion_cve_2020_0601.toml | 2 ++ .../defense_evasion_defender_disabled_via_registry.toml | 2 ++ .../defense_evasion_defender_exclusion_via_powershell.toml | 2 ++ ...defense_evasion_delete_volume_usn_journal_with_fsutil.toml | 2 ++ .../defense_evasion_disable_posh_scriptblocklogging.toml | 2 ++ ...nse_evasion_disable_windows_firewall_rules_with_netsh.toml | 2 ++ ...defense_evasion_disabling_windows_defender_powershell.toml | 2 ++ rules/windows/defense_evasion_disabling_windows_logs.toml | 2 ++ rules/windows/defense_evasion_dns_over_https_enabled.toml | 2 ++ .../defense_evasion_dotnet_compiler_parent_process.toml | 2 ++ .../defense_evasion_enable_inbound_rdp_with_netsh.toml | 2 ++ .../defense_evasion_enable_network_discovery_with_netsh.toml | 2 ++ ...fense_evasion_execution_control_panel_suspicious_args.toml | 2 ++ rules/windows/defense_evasion_execution_lolbas_wuauclt.toml | 4 ++-- ...fense_evasion_execution_msbuild_started_by_office_app.toml | 2 ++ .../defense_evasion_execution_msbuild_started_by_script.toml | 2 ++ ...e_evasion_execution_msbuild_started_by_system_process.toml | 2 ++ .../defense_evasion_execution_msbuild_started_renamed.toml | 2 ++ ...ense_evasion_execution_msbuild_started_unusal_process.toml | 2 ++ ...defense_evasion_execution_suspicious_explorer_winword.toml | 2 ++ .../defense_evasion_execution_windefend_unusual_path.toml | 2 ++ .../windows/defense_evasion_file_creation_mult_extension.toml | 4 ++-- rules/windows/defense_evasion_from_unusual_directory.toml | 2 ++ .../defense_evasion_hide_encoded_executable_registry.toml | 2 ++ rules/windows/defense_evasion_iis_httplogging_disabled.toml | 2 ++ rules/windows/defense_evasion_injection_msbuild.toml | 2 ++ rules/windows/defense_evasion_installutil_beacon.toml | 2 ++ ...ense_evasion_masquerading_as_elastic_endpoint_process.toml | 2 ++ .../windows/defense_evasion_masquerading_renamed_autoit.toml | 2 ++ ...se_evasion_masquerading_suspicious_werfault_childproc.toml | 2 ++ .../defense_evasion_masquerading_trusted_directory.toml | 2 ++ rules/windows/defense_evasion_masquerading_werfault.toml | 2 ++ .../windows/defense_evasion_microsoft_defender_tampering.toml | 2 ++ ...efense_evasion_misc_lolbin_connecting_to_the_internet.toml | 2 ++ .../windows/defense_evasion_ms_office_suspicious_regmod.toml | 2 ++ .../defense_evasion_msbuild_making_network_connections.toml | 2 ++ rules/windows/defense_evasion_mshta_beacon.toml | 2 ++ rules/windows/defense_evasion_msxsl_network.toml | 2 ++ ...efense_evasion_network_connection_from_windows_binary.toml | 2 ++ .../windows/defense_evasion_parent_process_pid_spoofing.toml | 2 ++ rules/windows/defense_evasion_posh_assembly_load.toml | 2 ++ rules/windows/defense_evasion_posh_compressed.toml | 2 ++ rules/windows/defense_evasion_posh_process_injection.toml | 2 ++ .../defense_evasion_potential_processherpaderping.toml | 2 ++ .../defense_evasion_powershell_windows_firewall_disabled.toml | 2 ++ ...ense_evasion_process_termination_followed_by_deletion.toml | 2 ++ rules/windows/defense_evasion_proxy_execution_via_msdt.toml | 3 +++ rules/windows/defense_evasion_rundll32_no_arguments.toml | 2 ++ .../defense_evasion_scheduledjobs_at_protocol_enabled.toml | 2 ++ .../windows/defense_evasion_sdelete_like_filename_rename.toml | 2 ++ rules/windows/defense_evasion_sip_provider_mod.toml | 2 ++ ...ion_solarwinds_backdoor_service_disabled_via_registry.toml | 2 ++ .../windows/defense_evasion_suspicious_certutil_commands.toml | 4 ++-- ...ense_evasion_suspicious_execution_from_mounted_device.toml | 2 ++ .../defense_evasion_suspicious_managedcode_host_process.toml | 2 ++ ...ense_evasion_suspicious_process_access_direct_syscall.toml | 2 ++ ...defense_evasion_suspicious_process_creation_calltrace.toml | 2 ++ rules/windows/defense_evasion_suspicious_scrobj_load.toml | 2 ++ .../defense_evasion_suspicious_short_program_name.toml | 2 ++ rules/windows/defense_evasion_suspicious_wmi_script.toml | 2 ++ .../defense_evasion_suspicious_zoom_child_process.toml | 2 ++ ...e_evasion_system_critical_proc_abnormal_file_activity.toml | 2 ++ rules/windows/defense_evasion_unusual_ads_file_creation.toml | 2 ++ rules/windows/defense_evasion_unusual_dir_ads.toml | 2 ++ ...efense_evasion_unusual_network_connection_via_dllhost.toml | 2 ++ ...fense_evasion_unusual_network_connection_via_rundll32.toml | 2 ++ .../defense_evasion_unusual_process_network_connection.toml | 2 ++ .../defense_evasion_unusual_system_vp_child_program.toml | 2 ++ rules/windows/defense_evasion_via_filter_manager.toml | 2 ++ .../defense_evasion_workfolders_control_execution.toml | 2 ++ rules/windows/discovery_adfind_command_activity.toml | 2 ++ rules/windows/discovery_admin_recon.toml | 2 ++ rules/windows/discovery_command_system_account.toml | 4 ++-- .../discovery_enumerating_domain_trusts_via_nltest.toml | 2 ++ rules/windows/discovery_net_view.toml | 2 ++ rules/windows/discovery_peripheral_device.toml | 2 ++ rules/windows/discovery_posh_suspicious_api_functions.toml | 2 ++ .../discovery_post_exploitation_external_ip_lookup.toml | 2 ++ rules/windows/discovery_privileged_localgroup_membership.toml | 2 ++ .../discovery_remote_system_discovery_commands_windows.toml | 2 ++ rules/windows/discovery_security_software_wmic.toml | 2 ++ rules/windows/discovery_whoami_command_activity.toml | 2 ++ ...xecution_apt_solarwinds_backdoor_child_cmd_powershell.toml | 2 ++ ...ution_apt_solarwinds_backdoor_unusual_child_processes.toml | 2 ++ rules/windows/execution_com_object_xwizard.toml | 2 ++ .../execution_command_prompt_connecting_to_the_internet.toml | 2 ++ rules/windows/execution_command_shell_started_by_svchost.toml | 4 ++-- .../execution_command_shell_started_by_unusual_process.toml | 2 ++ rules/windows/execution_command_shell_via_rundll32.toml | 2 ++ rules/windows/execution_enumeration_via_wmiprvse.toml | 2 ++ rules/windows/execution_from_unusual_path_cmdline.toml | 2 ++ ...ml_help_executable_program_connecting_to_the_internet.toml | 2 ++ rules/windows/execution_ms_office_written_file.toml | 2 ++ rules/windows/execution_pdf_written_file.toml | 2 ++ rules/windows/execution_posh_portable_executable.toml | 2 ++ rules/windows/execution_posh_psreflect.toml | 2 ++ rules/windows/execution_psexec_lateral_movement_command.toml | 2 ++ ...on_register_server_program_connecting_to_the_internet.toml | 4 ++-- rules/windows/execution_scheduled_task_powershell_source.toml | 2 ++ rules/windows/execution_shared_modules_local_sxs_dll.toml | 2 ++ rules/windows/execution_suspicious_cmd_wmi.toml | 2 ++ .../execution_suspicious_image_load_wmi_ms_office.toml | 2 ++ rules/windows/execution_suspicious_pdf_reader.toml | 2 ++ rules/windows/execution_suspicious_powershell_imgload.toml | 4 ++-- rules/windows/execution_suspicious_psexesvc.toml | 2 ++ rules/windows/execution_via_compiled_html_file.toml | 2 ++ rules/windows/execution_via_hidden_shell_conhost.toml | 2 ++ .../execution_via_xp_cmdshell_mssql_stored_procedure.toml | 2 ++ rules/windows/impact_backup_file_deletion.toml | 2 ++ .../windows/impact_deleting_backup_catalogs_with_wbadmin.toml | 2 ++ rules/windows/impact_modification_of_boot_config.toml | 2 ++ rules/windows/impact_stop_process_service_threshold.toml | 2 ++ ...t_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml | 2 ++ .../impact_volume_shadow_copy_deletion_via_powershell.toml | 2 ++ .../windows/impact_volume_shadow_copy_deletion_via_wmic.toml | 2 ++ .../initial_access_evasion_suspicious_htm_file_creation.toml | 2 ++ rules/windows/initial_access_script_executing_powershell.toml | 2 ++ .../initial_access_scripts_process_started_via_wmi.toml | 2 ++ .../windows/initial_access_suspicious_ms_exchange_files.toml | 2 ++ .../initial_access_suspicious_ms_exchange_process.toml | 2 ++ ...al_access_suspicious_ms_exchange_worker_child_process.toml | 2 ++ .../initial_access_suspicious_ms_office_child_process.toml | 2 ++ .../initial_access_suspicious_ms_outlook_child_process.toml | 2 ++ .../windows/initial_access_unusual_dns_service_children.toml | 2 ++ .../initial_access_unusual_dns_service_file_writes.toml | 2 ++ ...tial_access_via_explorer_suspicious_child_parent_args.toml | 2 ++ rules/windows/lateral_movement_cmd_service.toml | 2 ++ rules/windows/lateral_movement_dcom_hta.toml | 2 ++ rules/windows/lateral_movement_dcom_mmc20.toml | 2 ++ .../lateral_movement_dcom_shellwindow_shellbrowserwindow.toml | 2 ++ ...t_defense_evasion_lanman_nullsessionpipe_modification.toml | 2 ++ .../lateral_movement_direct_outbound_smb_connection.toml | 2 ++ rules/windows/lateral_movement_dns_server_overflow.toml | 2 ++ rules/windows/lateral_movement_evasion_rdp_shadowing.toml | 2 ++ .../lateral_movement_executable_tool_transfer_smb.toml | 2 ++ .../windows/lateral_movement_execution_from_tsclient_mup.toml | 2 ++ .../lateral_movement_execution_via_file_shares_sequence.toml | 2 ++ .../lateral_movement_incoming_winrm_shell_execution.toml | 2 ++ rules/windows/lateral_movement_incoming_wmi.toml | 2 ++ .../lateral_movement_mount_hidden_or_webdav_share_net.toml | 2 ++ .../windows/lateral_movement_powershell_remoting_target.toml | 2 ++ rules/windows/lateral_movement_rdp_enabled_registry.toml | 2 ++ rules/windows/lateral_movement_rdp_sharprdp_target.toml | 2 ++ .../lateral_movement_remote_file_copy_hidden_share.toml | 2 ++ rules/windows/lateral_movement_remote_services.toml | 2 ++ rules/windows/lateral_movement_scheduled_task_target.toml | 2 ++ .../lateral_movement_service_control_spawned_script_int.toml | 2 ++ .../lateral_movement_suspicious_rdp_client_imageload.toml | 2 ++ .../windows/lateral_movement_via_startup_folder_rdp_smb.toml | 2 ++ rules/windows/persistence_ad_adminsdholder.toml | 2 ++ rules/windows/persistence_adobe_hijack_persistence.toml | 2 ++ rules/windows/persistence_app_compat_shim.toml | 2 ++ rules/windows/persistence_appcertdlls_registry.toml | 2 ++ rules/windows/persistence_appinitdlls_registry.toml | 2 ++ rules/windows/persistence_dontexpirepasswd_account.toml | 2 ++ .../persistence_evasion_hidden_local_account_creation.toml | 2 ++ .../windows/persistence_evasion_registry_ifeo_injection.toml | 4 ++-- ...stence_evasion_registry_startup_shell_folder_modified.toml | 2 ++ rules/windows/persistence_gpo_schtask_service_creation.toml | 2 ++ rules/windows/persistence_local_scheduled_job_creation.toml | 2 ++ rules/windows/persistence_local_scheduled_task_creation.toml | 4 ++-- rules/windows/persistence_local_scheduled_task_scripting.toml | 2 ++ rules/windows/persistence_ms_office_addins_file.toml | 2 ++ rules/windows/persistence_ms_outlook_vba_template.toml | 2 ++ rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml | 2 ++ ...istence_powershell_exch_mailbox_activesync_add_device.toml | 2 ++ ...ersistence_priv_escalation_via_accessibility_features.toml | 2 ++ rules/windows/persistence_registry_uncommon.toml | 4 ++-- rules/windows/persistence_remote_password_reset.toml | 2 ++ rules/windows/persistence_run_key_and_startup_broad.toml | 4 ++-- .../persistence_runtime_run_key_startup_susp_procs.toml | 2 ++ rules/windows/persistence_sdprop_exclusion_dsheuristics.toml | 2 ++ rules/windows/persistence_services_registry.toml | 2 ++ ...nce_startup_folder_file_written_by_suspicious_process.toml | 2 ++ ...tence_startup_folder_file_written_by_unsigned_process.toml | 2 ++ rules/windows/persistence_startup_folder_scripts.toml | 2 ++ rules/windows/persistence_suspicious_com_hijack_registry.toml | 2 ++ ...stence_suspicious_image_load_scheduled_task_ms_office.toml | 2 ++ .../persistence_suspicious_scheduled_task_runtime.toml | 2 ++ .../persistence_suspicious_service_created_registry.toml | 2 ++ rules/windows/persistence_system_shells_via_services.toml | 2 ++ rules/windows/persistence_time_provider_mod.toml | 2 ++ ...persistence_user_account_added_to_privileged_group_ad.toml | 2 ++ rules/windows/persistence_user_account_creation.toml | 2 ++ rules/windows/persistence_via_application_shimming.toml | 2 ++ rules/windows/persistence_via_bits_job_notify_command.toml | 2 ++ rules/windows/persistence_via_hidden_run_key_valuename.toml | 2 ++ ...ersistence_via_lsa_security_support_provider_registry.toml | 2 ++ ...sistence_via_telemetrycontroller_scheduledtask_hijack.toml | 2 ++ .../persistence_via_update_orchestrator_service_hijack.toml | 2 ++ ...windows_management_instrumentation_event_subscription.toml | 2 ++ .../windows/persistence_via_wmi_stdregprov_run_services.toml | 2 ++ rules/windows/persistence_webshell_detection.toml | 2 ++ rules/windows/privilege_escalation_disable_uac_registry.toml | 2 ++ .../windows/privilege_escalation_group_policy_iniscript.toml | 2 ++ .../privilege_escalation_group_policy_privileged_groups.toml | 2 ++ .../privilege_escalation_group_policy_scheduled_task.toml | 2 ++ rules/windows/privilege_escalation_installertakeover.toml | 4 ++-- .../privilege_escalation_krbrelayup_service_creation.toml | 2 ++ rules/windows/privilege_escalation_lsa_auth_package.toml | 2 ++ .../privilege_escalation_named_pipe_impersonation.toml | 2 ++ .../windows/privilege_escalation_persistence_phantom_dll.toml | 2 ++ ...rivilege_escalation_port_monitor_print_pocessor_abuse.toml | 2 ++ .../privilege_escalation_printspooler_registry_copyfiles.toml | 2 ++ ...ilege_escalation_printspooler_service_suspicious_file.toml | 2 ++ ...lege_escalation_printspooler_suspicious_file_deletion.toml | 2 ++ ...privilege_escalation_printspooler_suspicious_spl_file.toml | 2 ++ .../privilege_escalation_rogue_windir_environment_var.toml | 2 ++ .../privilege_escalation_samaccountname_spoofing_attack.toml | 2 ++ .../privilege_escalation_suspicious_dnshostname_update.toml | 2 ++ rules/windows/privilege_escalation_uac_bypass_com_clipup.toml | 2 ++ .../windows/privilege_escalation_uac_bypass_com_ieinstal.toml | 2 ++ ...vilege_escalation_uac_bypass_com_interface_icmluautil.toml | 2 ++ .../privilege_escalation_uac_bypass_diskcleanup_hijack.toml | 2 ++ .../privilege_escalation_uac_bypass_dll_sideloading.toml | 2 ++ .../windows/privilege_escalation_uac_bypass_event_viewer.toml | 2 ++ .../windows/privilege_escalation_uac_bypass_mock_windir.toml | 2 ++ .../privilege_escalation_uac_bypass_winfw_mmc_hijack.toml | 2 ++ ...privilege_escalation_unusual_parentchild_relationship.toml | 2 ++ ...rivilege_escalation_unusual_printspooler_childprocess.toml | 4 ++-- ...vilege_escalation_unusual_svchost_childproc_childless.toml | 2 ++ rules/windows/privilege_escalation_via_rogue_named_pipe.toml | 2 ++ ...ivilege_escalation_windows_service_via_unusual_client.toml | 2 ++ 679 files changed, 1334 insertions(+), 135 deletions(-) diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index 085c469575d..eb9339e3d9c 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/13" [rule] diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index 4c4a712262b..e601bd88d9d 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/13" [rule] diff --git a/rules/apm/apm_null_user_agent.toml b/rules/apm/apm_null_user_agent.toml index 0519fedd662..15b880d1d8b 100644 --- a/rules/apm/apm_null_user_agent.toml +++ b/rules/apm/apm_null_user_agent.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/13" [rule] diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index c37e7d68f2e..11d6fb63958 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/13" [rule] diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index e990120dfb5..c521ab86983 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index 7f39cc44522..1944a26182e 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -2,8 +2,8 @@ creation_date = "2021/07/14" maturity = "production" updated_date = "2022/02/28" -min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" -min_stack_version = "7.15.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 0a0955aaa32..2282deb2274 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -2,8 +2,8 @@ creation_date = "2021/07/14" maturity = "production" updated_date = "2022/02/16" -min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" -min_stack_version = "7.15.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 283004af026..289475cb3bf 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 5f332e4cf30..a32174bee05 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/16" [rule] diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 7ec822922d2..94d5c2b722e 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/05/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" [rule] diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index cf14cceb828..e893d4b0b22 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 25f36fbd3e7..0a296f2eabc 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index 79ad5390354..ff4a908c25c 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/09/29" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index 84533a03f4f..dbaee714710 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/12" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" [rule] diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 91da6fabb71..fdc2ec64b57 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/06" [rule] diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 32913f5971e..dc63531b97e 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index b663d70da00..4e91b6edb8f 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/12/10" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 1f28d573922..0911b7a61bf 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -2,8 +2,8 @@ creation_date = "2020/07/07" maturity = "production" updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index dbf0d0fb12f..d8b81000882 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/10" [rule] diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index d42f5741319..b87e5a7dd4f 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/22" [rule] diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index cec0ff93d98..c2fdfd8697e 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/08/03" [rule] diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index c0df6679998..b7c071bcc6d 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/04" [rule] diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index e0df3d8aa6d..53c5b593635 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/26" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 428b72f1e3f..432896bc68d 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/10" [rule] diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 5a67e5a6872..01e8e6134cd 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/02/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index ede884934ef..2e738e5cfa8 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/cross-platform/threat_intel_filebeat8x.toml b/rules/cross-platform/threat_intel_filebeat8x.toml index ed24a7bc3d8..000326e34ac 100644 --- a/rules/cross-platform/threat_intel_filebeat8x.toml +++ b/rules/cross-platform/threat_intel_filebeat8x.toml @@ -2,8 +2,8 @@ creation_date = "2021/11/24" maturity = "production" updated_date = "2022/02/16" -min_stack_comments = "Threat index is ECS 1.11 compliant (8.0)." -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/threat_intel_fleet_integrations.toml b/rules/cross-platform/threat_intel_fleet_integrations.toml index 5b88f36a166..1e8d6293cd1 100644 --- a/rules/cross-platform/threat_intel_fleet_integrations.toml +++ b/rules/cross-platform/threat_intel_fleet_integrations.toml @@ -2,8 +2,8 @@ creation_date = "2021/04/21" maturity = "production" updated_date = "2022/02/16" -min_stack_comments = "Threat intel module fields were updated from `threatintel.*` to `threat.*` in ECS 1.11 (7.16)." -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index d59e0a722b2..aa65940b566 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/10" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index a65ec7316b9..43a3a5e79b8 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/19" integration = "aws" diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index dca7e8b4977..dfd3d1e73a7 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/19" integration = "aws" diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 4110331a4f6..7040c497487 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml index 50ad221fdc6..9c6ad26cebd 100644 --- a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/14" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 41bacd7e4e4..e5924d6a998 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/26" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 59bfe53eafc..88910187cb6 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/10" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index e9bc81ed4ba..051997771d4 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 0f38bfd560a..09a5646eef3 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/26" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/14" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 39aac78b19b..610cc501bef 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 56aa312c172..97d57b798f6 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index 4d17f64ea25..0fd6227535d 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/26" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index 608c8a85007..7182c88276e 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/10/01" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index 5a7dd4837c6..00375e5837c 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/10/01" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index c025a145543..cbc3b312b29 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/28" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 0836f85b61e..25d808c316d 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index deac79fe2f6..3bf140a3432 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index e3d58bd4fd6..f5b4eb4994f 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/09" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/11" integration = "aws" diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index 6f40150d528..75c45b41e59 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index 876ec8bf80e..37388a7b146 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/14" integration = "aws" diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index a991c5f57be..ac14e92be76 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/04/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index 22c78f4bc3a..2f9cd8841d3 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/06/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" integration = "aws" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index f55e0e5d9d7..d0762e7c75c 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/06/29" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" integration = "aws" diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index c3c174508c0..684bb0ff38c 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" integration = "aws" diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index 8784d426194..0dcc1e5c48a 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/10" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" integration = "aws" diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 2af9ef080dd..73a57efb10f 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" integration = "aws" diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index e5eee33b43a..e31fe14d7e2 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/14" integration = "aws" diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 8c5d534e7f2..418f35f2f87 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 9e650a1e7ed..7b6133235eb 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/08/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/28" integration = "aws" diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 3a74b435459..fb961fe3577 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/26" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/19" integration = "aws" diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index d799a20c7f4..45050f05fc0 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index 481df4dfd04..48e88f991a3 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/06/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index 90fd97a3944..8a7d48c2b9b 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/07" integration = "aws" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index 3909047888b..cfddf5555d4 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index 1c2690d6cc7..75391e2ba1f 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" integration = "aws" diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 2b276c1abbe..a8baa066ae9 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/20" integration = "aws" diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index 1ebe340da1f..ecad0e621b9 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/14" integration = "aws" diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index e4cb8e8eaf7..79ceff3612f 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/14" integration = "aws" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 8e9904cec74..2fe035b0e23 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/14" integration = "aws" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index a1a1cff48ef..5d55f25f962 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/14" integration = "aws" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index cf997be4ade..67e8336227f 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/14" integration = "aws" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 35988790abf..f05f4389f75 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/14" integration = "aws" diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index eb988ea160b..3f7dc86f84a 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index a16ed0dadf6..98f1c75f3d4 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/07" integration = "aws" diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index d20094ff6c3..11303f82885 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/06/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index 94ae3cfacee..c6b88c2520a 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 374d94fc62b..c46ff2ff584 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/06/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index 65617ffae45..c207a60612b 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/06/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" integration = "aws" diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index dc98349791e..59c44651f6a 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/04/12" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" integration = "aws" diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index de34c8b9cb2..4980bf20f28 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/10" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index 597ea914df2..d31e814e4cd 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/10" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "aws" diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 086300809d7..b0cc15029df 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/19" integration = "aws" diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index c0b70f34a87..f11500dac88 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/06/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" integration = "aws" diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index 57ffe282789..e46e759b069 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/06/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/20" integration = "aws" diff --git a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml index b4baff8da98..bf186aaf954 100644 --- a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/09/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/09/22" integration = "aws" diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 1d1be7716e8..8a3b7a39c7d 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" integration = "aws" diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index 360a6f53336..1ae0785d8ff 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/10/05" integration = "aws" diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index afa2cfedd01..3a85a877bf1 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/10/11" integration = "aws" diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index 82b339e27a2..388acde51a7 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/19" integration = "aws" diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml index 533d7a9aa45..3a30f7d4721 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml index 39af8aec704..1dc939f216d 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/08/12" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/10/15" integration = "azure" diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml index 6b4fb1714a9..b14a3470717 100644 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/31" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 8c4c4820f8c..eff6841a142 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml index f6a2068e922..43b61bab39c 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml index d09c3e51f31..3c1d3730f2f 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/01" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" integration = "azure" diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index 52912a862d4..c69dbb846d5 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/09/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/09/22" integration = "azure" diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index 69f3b560cc9..fe9671951e8 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index 4fba20ea451..660364efee3 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/19" integration = "azure" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 763c1d36812..550273b1bf5 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index fff5ce5157f..d40011b5dc9 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index a4711ef0ccc..e08c7be63a5 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/08/01" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/08/01" integration = "azure" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index b4ead5ba31f..a85917ee118 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/06/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/28" integration = "azure" diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index bbbe2ce8118..967dbc15746 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/31" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index cd5ea237184..99007fdc48f 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/08/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/16" integration = "azure" diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index a38057a25b2..eefcf8cd3a3 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index 1289b596fa8..6463bc9c6a8 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml index 25fa04cb3e8..0c5ef3766ed 100644 --- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/28" integration = "azure" diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 507e10868a9..da127e72c27 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/06/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/06/24" integration = "azure" diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml index 545b3d503d0..9fb53190553 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index f62a129494b..281b036430d 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/12" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" integration = "azure" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index eec7eee274f..cbb8282ac2a 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/19" integration = "azure" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 350583d23ed..2284a4b5737 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/19" integration = "azure" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index f8a0f17173f..25576bb6b42 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/19" integration = "azure" diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index a23b24d8a3b..b96ddb5b033 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/01" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/19" integration = "azure" diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml index d90deeca456..96704a44ff4 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/31" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml index 837197b0d35..a38f4b0bbf7 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml index a9c2aa29c7b..f70887a5c15 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index 603ddb25885..4abb4a257f1 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml index 2a321bae517..19f172a65a7 100644 --- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/01" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/20" integration = "azure" diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index 868e5ec47de..e64e9991da0 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -2,6 +2,8 @@ creation_date = "2022/01/06" integration = "azure" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index d2ffbe7950b..dd459283c21 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index 3fc79445b51..8f4f207f634 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/01" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/19" integration = "azure" diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index aab929854ad..e3c9a601e97 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" integration = "azure" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index 0392baddaac..652ad32cff3 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 367d4626bcd..9c27ff59322 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "azure" diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index 22a288179b4..6d72bb37216 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/11/22" integration = "azure" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 7d460b4b128..19a2f43672d 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -3,8 +3,8 @@ creation_date = "2021/06/23" maturity = "production" updated_date = "2021/07/20" integration = "cyberarkpas" -min_stack_comments = "The integration was not introduced until 7.14" -min_stack_version = "7.14.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index 81c4a24c9f6..2bae0cdf939 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -3,8 +3,8 @@ creation_date = "2021/06/23" maturity = "production" updated_date = "2021/07/20" integration = "cyberarkpas" -min_stack_comments = "The integration was not introduced until 7.14" -min_stack_version = '7.14.0' +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index f4b6bd08fc8..a55e1f18dab 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/08" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/10/11" integration = "endpoint" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index f0013f13a10..6e78a214b80 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index ff837ff852e..7cfe71fb3b6 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 30f92a924e9..79b6c5687d3 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,6 +2,8 @@ creation_date = "2020/09/21" integration = "gcp" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index bf6db737207..79fe0bb3fa6 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,6 +2,8 @@ creation_date = "2020/09/21" integration = "gcp" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index ff725226160..fb512af7648 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,6 +2,8 @@ creation_date = "2020/09/21" integration = "gcp" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index a51020e374a..0786f60112f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 70fc658a03c..c1e209182f9 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index ff35c6f6f8c..872f3132e7f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 4c2a2a55c23..268b784e698 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index b9a7fbdcf49..c06f1cc57bf 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 89f6be2535b..e1eaed63324 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 5db8145a749..7889bd0c7fb 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 283c1694f18..88b23ab6107 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 4c37eace740..efa40739cea 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,6 +2,8 @@ creation_date = "2020/09/22" integration = "gcp" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index 152c0713a03..d40f6db6500 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index f98d8bdd687..24c78051f13 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index 9234a204d7d..75d2c2d9591 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index 51a3b4136ef..1a62938842e 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index 92d22e0f539..d9dac715813 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index 3659d02c7da..cd8c1f8d8eb 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 131af16bd28..357fdaae468 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 085fa6c50b3..392ecdd7cf4 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 18a6408d6b8..7ceb00f471a 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml index 7a9209e16d2..2b6b6d3f182 100644 --- a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml +++ b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/06/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" integration = "gcp" diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index af832c6a7e7..0705e17859b 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -3,8 +3,8 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2022/07/17" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index 68c60e5fc41..d18f044cd04 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -3,8 +3,8 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2022/01/13" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index c0b08b820ab..fe8d868ef80 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -3,8 +3,8 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2022/07/22" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index ccf0924e508..4e6bb6a8e92 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -3,8 +3,8 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2022/07/17" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 08ad8a896a5..dc0f2b4a372 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -3,8 +3,8 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2022/01/13" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index f67fa93e882..950c5b8e673 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -3,8 +3,8 @@ creation_date = "2020/11/12" maturity = "production" updated_date = "2022/01/13" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index d9b207a6426..b3bbee6ae48 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -3,8 +3,8 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2022/01/13" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml index 724d3e6b1ed..bda62e69773 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml @@ -3,8 +3,8 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2022/07/17" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index ea0abb11270..53025281971 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -3,8 +3,8 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2022/01/13" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index d512898f0a8..157072ef708 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -3,8 +3,8 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2022/07/17" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 7302029d340..0b0f7f9b2b6 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,8 +2,8 @@ creation_date = "2022/06/30" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/06/30" [rule] diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 0f325829041..68797f0d066 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -2,8 +2,8 @@ creation_date = "2022/05/17" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/11" [rule] diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 376166b88e8..6d6f5f5ce30 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,8 +2,8 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" [rule] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index c75d52ff39d..e08a2889d82 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -2,8 +2,8 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" [rule] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 6a524b580b3..9748d7ff69a 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,8 +2,8 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" [rule] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index dfafe09a036..7ed9811f854 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -2,8 +2,8 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" [rule] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml index 30c880f5bf3..453f78f5640 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml @@ -2,8 +2,8 @@ creation_date = "2022/07/11" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/11" [rule] diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index 8db4db42af7..345aae28b53 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,8 +2,8 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" [rule] diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 98a096dd1bf..f30a9e84697 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/03/29" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/16" integration = "o365" diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index e8f9c357dc0..eea33534eb6 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/30" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/30" integration = "o365" diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index cb87e6635cb..5527f4c0401 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/01" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/30" integration = "o365" diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index 61d2041dc90..67627fe0ecb 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/12/30" integration = "o365" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index d152bc53a9c..2c51df7a029 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "o365" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index 1bd643578a5..2ca11a3f763 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "o365" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index 1b839998c75..3b4af3b6deb 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "o365" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index c186b8e6f5f..d4399095be6 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "o365" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index df9ab143902..da1f64e1b2d 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -2,6 +2,8 @@ creation_date = "2022/01/13" integration = "o365" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/16" [rule] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 2b270b5cafd..4ed7923d889 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/28" integration = "o365" diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index e04ff860af0..412e03e1d39 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "o365" diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index 613963e9364..11efcc42964 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/10/05" integration = "o365" diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 9c92c20dc56..659190ddb8c 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/15" integration = "o365" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index 3727a0bb166..bca029fe52d 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "o365" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 669e137cab4..f8e1c32fd7d 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "o365" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index 5d38fb7af71..9101fb1c2f3 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "o365" diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 9e159134142..6a9c7d9b5a1 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/10/05" integration = "o365" diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index 7b739f01cdf..9d94abb5353 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -2,6 +2,8 @@ creation_date = "2022/01/12" integration = "o365" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/01/12" [rule] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index 4239655f327..420503dd5f1 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -2,6 +2,8 @@ creation_date = "2022/01/10" integration = "o365" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/01/10" [rule] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 505427744d8..e7f7c9049d3 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -2,6 +2,8 @@ creation_date = "2022/01/10" integration = "o365" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/28" [rule] diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index 23622c3b97f..b65b13d2adb 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" integration = "o365" diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml index d121404abf5..b03bc158fc4 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/17" integration = "o365" diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index 5619369f8d3..0f3e58da896 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "o365" diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 1a0fab679de..d0c7a7c7300 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -2,6 +2,8 @@ creation_date = "2022/01/06" integration = "o365" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/28" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml index d32b719d387..4531f8d5a68 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/30" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/17" integration = "o365" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index 67bc2197d82..03cd008ee07 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/30" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "o365" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index 10918a90f25..059cc00b492 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "o365" diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index d42815e8a82..7e85690104e 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/10/11" integration = "o365" diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index c03e8a92150..a366840ac90 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" integration = "okta" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 8d3669b2fa2..6186aeae996 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "okta" diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index bbdb7edf8a3..12bf9f23ace 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/01/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" integration = "okta" diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index c183eadf53b..706db13a843 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "okta" diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index 01701df4b83..aebc75dbb7d 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/03/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/22" integration = "okta" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 772352d22d5..cb5980a0441 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" integration = "okta" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 92f98af6f67..70c61ce3453 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" integration = "okta" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index bb447116dd7..e2a8dece0c4 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" integration = "okta" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 761968342cf..e264eb35582 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" integration = "okta" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index 4d798661300..05218943f78 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/28" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" integration = "okta" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 336df740bfe..2df31c868d0 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" integration = "okta" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 858f566b266..f5d4e03400b 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" integration = "okta" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 445d1cdd235..668aa228f05 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" integration = "okta" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index e4aed3711bb..e63c19a2875 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" integration = "okta" diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 982e8458a8d..40d2226bb28 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "okta" diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index d02dcb72401..3fc4943206e 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "okta" diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index a3ea6d1df28..0ffd7aaf4bf 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" integration = "okta" diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index 108afdab4c5..15514516681 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" integration = "okta" diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index b2f655ef830..d98d3054874 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" integration = "okta" diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 4ceb6a98174..0ec7e5dfbb2 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "okta" diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 3d8a299b12d..2ca17e6a8ce 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/10/11" integration = "okta" diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 1d46e5fee73..90deabefe0f 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "okta" diff --git a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml index 4931d2f79af..8e6a7a3fde5 100644 --- a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "okta" diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 0e074342251..be562390c9e 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "okta" diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 2d04368f2b6..8c291e50694 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "okta" diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index c24a7c89562..ec40c5d0936 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "okta" diff --git a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 4d46e0381a8..51ea014378c 100644 --- a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "okta" diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 82a72dfe775..145b21a92ef 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/20" integration = "okta" diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index 3fb4239a883..58796e3e070 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/01" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" integration = "okta" diff --git a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml index 9f479d7df86..71e983ad4d8 100644 --- a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml +++ b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/05/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/linux/command_and_control_linux_iodine_activity.toml b/rules/linux/command_and_control_linux_iodine_activity.toml index fdfbd697248..73098bf79ed 100644 --- a/rules/linux/command_and_control_linux_iodine_activity.toml +++ b/rules/linux/command_and_control_linux_iodine_activity.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" [rule] diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index d38d0b83171..68e4f76526c 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/04/12" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 974b60247cb..17b18199a75 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 736afdeec03..2ceb25ddcd5 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/28" [rule] diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 6fbe0d37916..e11ac67a264 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index b5e5cf34af3..18ac4b63bd5 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 797dff73148..fdb553a4937 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/07/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" [rule] diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index e712df9eb30..e18b80e24b4 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 13c7192ca38..4d85089fd81 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index fd9012555a1..2798c8eb797 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index ea799dd3e80..1e1e9772375 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/29" maturity = "production" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/26" [rule] diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index e6937f26f67..4d57af0378a 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/07/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index da385d91cd2..2941e2ac095 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index a5eef7011fb..aef7e2aafbb 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/26" [rule] diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 732997b8efd..de6a1c36ea8 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 6e9d79e96b2..e2d15823b6d 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/06/02" [rule] diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index cf84f45e133..29a0f79ab04 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" [rule] diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 044841ca27e..1fd92ad808a 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 1d4b67ba48d..7b5eca315dc 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/05/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/linux/execution_linux_netcat_network_connection.toml b/rules/linux/execution_linux_netcat_network_connection.toml index 65097f9525d..1df3c20c4ea 100644 --- a/rules/linux/execution_linux_netcat_network_connection.toml +++ b/rules/linux/execution_linux_netcat_network_connection.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" [rule] diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 9ec608508c8..467a6f7b999 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 91eb38b517f..abdcfaa8abf 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/05/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/12" [rule] diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 0fe504fdff1..54228076421 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/05/10" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/26" [rule] diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 63d8087ed8b..1eb21225154 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,8 +2,8 @@ creation_date = "2020/04/15" maturity = "production" updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index e4dc0cf2c51..b2453401ab0 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/05/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/01" [rule] diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index b7900e82135..af2ea9e13a9 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/07/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/11" [rule] diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index b4b8f0a7aa6..dfcb78e38c4 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/07/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/27" [rule] diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index d833f362699..f3802896c4c 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/26" [rule] diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index e0915c924e5..22a7bcd2551 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/26" [rule] diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 42efdaa3457..9340184af75 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/07/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 15ecd152a8c..0c68802970a 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/26" [rule] diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index fef7f9af4b6..0c1f250c60d 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/07/12" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 0dfeb99ed17..1759a57b4c6 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/07/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index ba99631fbfb..f30839ab162 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/07/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 23da8be4399..a400839e955 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/26" [rule] diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 6052c4d2de1..be8fb2fba60 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/26" [rule] diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 0dfe418b076..fedc878fee7 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/08/03" [rule] diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 3c097c6f14f..cb2ce49376c 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/01/26" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/28" [rule] diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 393a90ec6b1..a8d4aad1e09 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index c3fc0ce3870..b27eb836015 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index a70a2b68d06..31e20e5f7f4 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index a44761bef50..e700cf7a2f3 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index a0795302230..ef1b8f20b3b 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 0e5f6b7d045..3cb1b4cba46 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 1793757b701..b8f1128143a 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/09" [rule] diff --git a/rules/macos/credential_access_potential_ssh_bruteforce.toml b/rules/macos/credential_access_potential_ssh_bruteforce.toml index c1dac360025..bd546c59c70 100644 --- a/rules/macos/credential_access_potential_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_ssh_bruteforce.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index bc2ee9eb7b6..aa91d319461 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 9e54cf24e20..7e934570f7f 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/27" [rule] diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 9d1d262aa39..49a6f5f7cbc 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 92d1bf9c0d0..c86dc874d1f 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index b5de04075bc..ead6bad37ad 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/20" [rule] diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index 00a38318d1b..da22b61ffd5 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/15" [rule] diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index 52ec9d8ba0c..17f1ee4f9e9 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" [rule] diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index be7c8941271..5c09c650006 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" [rule] diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 6c160808b27..0970598145a 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/20" [rule] diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 268fe3771b1..69beae92dae 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 1bbc4c24e74..9c3428d2939 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" [rule] diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 45a66834f6a..e4cec68650c 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index e4ec4127798..72ea179e8a0 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/21/07" [rule] diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 04002675711..5a767f69312 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/12" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/21" [rule] diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index cbff611403f..c1c6e37880c 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index f8e2a26f441..fb7d36c0ed3 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/12" [rule] diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 7bf3ccc4a79..58bdb64c95d 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/02/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index 4636116f405..26561639f80 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 64d39eea8a4..5f0e3e8d856 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/21" [rule] diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 67675757600..9bcc790c72f 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/06/22" [rule] diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index d2fbc37c02d..7b7733ccf2a 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/09" [rule] diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index dcc836e81ac..612fd6952f4 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/12" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 34691b1a2cc..331708cb1bb 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" [rule] diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index bc970d23102..65ed446c99c 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" [rule] diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 69f97ef01c2..66f68d506a1 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" [rule] diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 31cc60b977c..5ab0e43fbc2 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index f67eea22750..cf6f5c08d66 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 01451501a48..c985ad60da2 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 41a6f1d5160..51d4ad97f9f 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" [rule] diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 35a10afd866..8ce53fb3df7 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" [rule] diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index 4387eeb9149..3152a78ca51 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/04/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/25" [rule] diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index fce77f91fae..dd98e88d0c4 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 49714ab2cea..ab3b9bd0510 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/25" [rule] diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index e46352a3c60..51098f42a45 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/08/25" [rule] diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 48fcbcafd78..20dd50e6e5d 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/16" [rule] diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 1246a62c090..9c190e402cb 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/08" [rule] diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index f760c40ac62..aa8590a9366 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 0de21067d44..7a1d07ad87e 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 967ae50d80a..438ad14a076 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/15" [rule] @@ -24,6 +26,7 @@ risk_score = 47 rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 3e5bfd31f64..40b8116ef1d 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/26" [rule] diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 38b4b1d168b..8a553a1ddfa 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 31e1f9d45f4..3750c3f4264 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/26" [rule] diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index 1b1b59ae5cb..910f20b2843 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/26" [rule] diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index 70f528ef7a7..81902767ec0 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 99009173a77..ae828854e7c 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/27" [rule] diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 995245bb50e..3a1fb4d88be 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index eac455d9fbb..8f43f48acce 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/27" [rule] diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index 75a41d02c3d..0ecc6c13015 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" [rule] diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index 537ec8cdc1c..8f3affcb6b4 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index 5fe38cdc197..64635125df4 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/27" [rule] diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index f734d500b9f..977f232bd7e 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/27" [rule] diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 0f5514d0b0b..4c6c9a77c59 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 759156414c7..f679738e1e6 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 0def13bb6b1..4b1df1d260e 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" [rule] diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index 1b86ce26e4e..76edefb46e3 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" [rule] diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index 3887f8ce041..db0dff04a98 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 58f246dd2f7..3c7ad0dc716 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" [rule] diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index 764dfe22640..a5efd9d186d 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -2,8 +2,8 @@ creation_date = "2021/06/10" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 3faf81a1510..155139ce591 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,8 +2,8 @@ creation_date = "2021/06/10" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 5424191afdc..14d6b45e115 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,8 +2,8 @@ creation_date = "2021/06/10" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 216b8c5ec98..e582efda9d0 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" maturity = "production" updated_date = "2022/07/17" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index edce166ce68..b4543d23f73 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" maturity = "production" updated_date = "2022/07/17" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index 79e9b9ddb7d..ff05f46b3e1 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 620a546d385..e043727f68a 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 47c7da06ecf..78d2db1e09e 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index eb7bc7b278d..ecf2310b30e 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" maturity = "production" updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index db5319f19b2..76292678f8b 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2022/07/20" diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index a57b9416638..d2fb4830724 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" maturity = "production" updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index add207132de..9ff7382b02f 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" maturity = "production" updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index 70f1708f484..86abc6daf3e 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" maturity = "production" updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index b627f8d31e0..7f89d01064e 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index 503a63f707f..cbc3722a413 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -2,8 +2,8 @@ creation_date = "2021/06/10" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 1e92cca5dff..36e3bed86c9 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -2,8 +2,8 @@ creation_date = "2021/06/10" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 557e7771369..0a09218fd19 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -2,8 +2,8 @@ creation_date = "2021/06/10" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index 8c4fdc43ad8..53a5a321e81 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index c24b0177ff0..7215e6d7809 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index c3dfcec90f2..b16c51eb6ff 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index ea7f00a4f72..8233a85bedd 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/04/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/06/15" [rule] diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 38cb5ab7f8a..dafc577a45d 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/04/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/08/14" [rule] diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 1718ac48522..717533cb5eb 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/05/12" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index 13f4ec42de5..71060cb6c47 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/05/12" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 3ff8f3b6529..f1ca5287a95 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index 59c7a9ebb41..e9b35c384ed 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/04/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/06/15" [rule] diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 02b2266bbcb..95f3641e56a 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/04/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/06/15" [rule] diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 7d25b013dd2..9fe95a2cfe8 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/05/12" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 3d3087f818f..219b56e9ac7 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index 752dd900c8c..8dac682e0d4 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 7fc189fede7..ac5aca6182c 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index 202bb085786..71f212b0dae 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index e5cf3ff1647..d27b2d3c090 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index d6604ba291f..8da60a9ea8c 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index 567ab2817bf..bab8ee22e19 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index b46168224e5..581e3e966cc 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" maturity = "production" updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index dcde9607ea5..ce135cafe43 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index c3be167eebb..c6a0799cdcd 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" maturity = "production" updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 0cf487f03a9..5978b7a2ef9 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/10" [rule] diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 78c58aa67fe..7c2c311243c 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/10" [rule] diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index bf64d4062a0..52ba7a84a01 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/12/06" [rule] diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 21726926b23..741cba4538e 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/10" [rule] diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 74f56e4838e..2f0b3e200ea 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/10" [rule] diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index a6e23998f6b..6c1b6666966 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index da93ea48180..32e4431770e 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 7041c79953b..25751bb40ac 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,8 +2,8 @@ creation_date = "2020/02/18" maturity = "production" updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml index 57317c93754..ed48d0bfa66 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -2,8 +2,8 @@ creation_date = "2020/02/18" maturity = "production" updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 25c22a1f8fc..7550a8fd625 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/26" [rule] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 4e2af0def22..a96f20bc523 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/26" [rule] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index e7404a012b6..45945bbc190 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/26" [rule] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index b03ebd5c0af..c5051b78575 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/26" [rule] diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 9eaceac7e8b..cfd100bea45 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/26" [rule] diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 90ecee9d631..88e262e8277 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/10" [rule] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index 075da944f3b..b4308997b75 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 50844f50a05..6e937f85d45 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index 5b68b4260fd..d3a1cab382e 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/12/13" [rule] diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index 486f13b6805..6d9a06cc5e1 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/12/13" [rule] diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 2741cf21464..789d291be71 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/12/13" [rule] diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index c5f22e24240..c6859fdf0fb 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/12/13" [rule] diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 14052bfaa1a..1b092cfb314 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/12/13" [rule] diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index 60996055050..1d4dd7fa899 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 54df4545861..c97a53dfb5d 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 79043d89028..b301b08ba45 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/08" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/13" [rule] diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index c1373019977..bf6a5a43d84 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 3c3e950eb94..85c2e01304a 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index b95c7f9b55d..b98b686a31b 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index baf4814adfa..27847dd0410 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 6ac709f6377..3461010672b 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index dee0eb2fff9..5311276b344 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/13" [rule] diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 303a206f1a9..338cb4158ed 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/21" [rule] diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index d97c9cd9ba0..2ed433782db 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index c61454c4254..4ce41091e94 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index ea98f15c135..c0c67a9996e 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 5ca39206e93..c6f146dc17d 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 88ab60d7670..623ca121173 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index c83f8df020b..8cdd9546567 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/16" [rule] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index e7f3516c830..bf2ab66e72b 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 8979e423b22..df3eb3a4eda 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index c6af56a5189..903b2c5b4d4 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/28" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/14" [rule] diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 5550fce14eb..5528b804653 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 144464a555a..e7111698401 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 387e421871f..84925775e85 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index bf99ab3ba5d..355469fba63 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index a725d5e9c4c..2a6fd79383d 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/30" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 31a7c0202c1..0c35e622bfd 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/29" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 2f38f261c2e..2db72e1357a 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 92d7cd735b1..867caf164e9 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 249e2ddcec6..f2014122ade 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" [rule] diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 4859ea0c871..a9a0bf1dadd 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 35c56fb4b39..01bc3a5a98e 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 99628ad60f5..8efde916d5f 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/02/08" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index a3bbfb74235..719e97d1119 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/01/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 4992858da2d..fa1abb17af9 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/20" [rule] diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 40dd670c344..953e182f63d 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 224df3d85bc..405b9865f47 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index eba67d25341..3ac32eeae0f 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 335896d918d..ee72ac24a2c 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/29" [rule] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 15f675f069c..3783dc9c334 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/06/29" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/06/29" [rule] diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index d91fdb45bae..247a55d8cc7 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -2,8 +2,8 @@ creation_date = "2020/11/24" maturity = "production" updated_date = "2022/08/02" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 7d2f763e0f8..db1d70a345a 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/02/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index f4ddafe6687..f2b21f3677c 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/31" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index edde3a34773..4eabaa4a0d3 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/24" [rule] diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 0b5fd0bf929..130ade1c815 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/29" [rule] diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 4af9eb1e30d..b6312fdbaa5 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2022/02/16" maturity = "production" -min_stack_comments = "File header bytes field populated until 7.15." -min_stack_version = "7.15.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 3536aa91d0f..485466d718e 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/03/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/28" [rule] diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index fbc289771bc..75e16257931 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/05" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 52aeb5f5718..b5058710933 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/01/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/21" [rule] diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index 6222ee5885f..fb7dbb6fbcc 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/09/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index d47a34ea9b5..270380dd4ba 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/04/30" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/30" [rule] @@ -23,6 +25,7 @@ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 431ad2d7a7f..5b25677cfc8 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2022/03/01" maturity = "production" -min_stack_comments = "The field `file.Ext.header_bytes` was not introduced until 7.15" -min_stack_version = "7.15.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/30" [rule] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 1f317a28bad..64aaa2f43d7 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/20" [rule] diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 498a1ca0a92..d5f2b5bc28d 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/01/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index eb8ba1019f3..d6105256e5d 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/01/26" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/13" [rule] diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index b7294aac8d3..fa1e1825c7a 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/02/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 2d94e68d04c..56f6617110b 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -2,6 +2,8 @@ creation_date = "2021/10/17" updated_date = "2022/03/31" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index bc9c9a1c3a4..7becf6e4898 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index e074350015e..216cb8f3ef9 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -2,8 +2,8 @@ creation_date = "2021/10/14" updated_date = "2022/02/28" maturity = "production" -min_stack_version = "7.14.0" -min_stack_comments = "Cardinality field not added to threshold rule type until 7.14." +min_stack_version = "8.3.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" [rule] diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index eadb2b47427..ee724b4c7f9 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/02/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 9d9ec54ccd5..62003fc1094 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/12/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index 89b1c2be6ca..5a1003e198f 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -2,6 +2,8 @@ creation_date = "2021/11/27" updated_date = "2022/03/31" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 8dffa5da197..b4a6e78efb7 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,8 +2,8 @@ creation_date = "2020/02/18" maturity = "production" updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 2cde9436bdd..d58644f7fe8 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/06/01" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index e3de73a4dc5..14749596f3c 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/11/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/23" [rule] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index f387587232d..d948c041072 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/08" [rule] diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 248c209fd94..76e388c534d 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/12" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/23" [rule] diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 2a022aee2e4..3bc075ecbe4 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/02/01" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/03" [rule] diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 07d15a1c7cd..f9522c0e3bc 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 19cfe4d4e05..915c47d63fb 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/03" [rule] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index e9e6d2edf75..df81cf114ec 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 1b9d1c54774..54ae2c1ea3b 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 41011adf8b5..90175ff7fa1 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/01/31" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index dc98a8dc7f5..aefba79dd0f 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 9dd37de19e2..2e023e9240b 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/21" [rule] diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index b23c86bc786..648f80c4cb1 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/23" [rule] diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 560f2d795b9..0dbdcc80b13 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 588a7827363..322764ca6ef 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index ba0d5224524..fb589dece09 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 0592b61ba10..89b7e53c62a 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/23" [rule] diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 35df953dc93..453087a8dee 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/09/08" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index d1d7ec960e7..2344169cea5 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,8 +2,8 @@ creation_date = "2020/10/13" maturity = "production" updated_date = "2022/07/20" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index bac0405d7c6..8b68f6a0d33 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" [rule] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index a62d75041b6..03ad0e828eb 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 8752c8e19c3..c8fdeda0da5 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index b14688c4bfc..dbfefee7465 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index b096c92c15c..f1b6fa935eb 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 955a53ea7ac..77bc8ce30d1 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 387b75639d2..7f7a0559f07 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 0d0d67ae1d2..b1dc6c353a3 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index add66ec4c35..bbf85472acf 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/30" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index fd85c211975..602e92feba7 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/14" [rule] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index c31f119af1f..a4b5335934e 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/04/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index f5864bd392e..14707c9b224 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 828cfdc9165..b948f747522 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index f62ca5f7451..815699bc39d 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 0828749b9f6..98e614a1ec7 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/01" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index c33ccef3dfd..501e34903ff 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index e7161d0890e..84909a4dcf2 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 25b898ad3fd..e7fd24d11f8 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/10/13" [rule] diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 5d7a7ba297a..bc3fadcd8ca 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/21" [rule] diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index e8504e288ee..81d40b451bc 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 31ee40955dd..ab2fec082cf 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/01/12" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 1b6bc53baaa..805420b5e6c 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/09/23" [rule] diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index fc2a853d30f..22dbe221e7b 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 9e5ecf447e6..cefbacd9faa 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/26" [rule] diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index f85daba073d..c05d68e2d11 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 48f5b6e0041..4714e2bb9f1 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/07/14" [rule] diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 238e72e3a69..23cbe6acd53 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/21" [rule] diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index b486d12cff7..74100d7398d 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/21" [rule] diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 97779af30a0..7b3a1a5aeb6 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/windows/defense_evasion_potential_processherpaderping.toml index 28f8d5a5016..d44bc3faccd 100644 --- a/rules/windows/defense_evasion_potential_processherpaderping.toml +++ b/rules/windows/defense_evasion_potential_processherpaderping.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 481f5dfae27..cc0c021d69c 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/23" [rule] diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 61688700732..9a0698efc38 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/01" [rule] diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 2827666da3c..741ee76e8c5 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/05/31" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] @@ -26,6 +28,7 @@ risk_score = 73 rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 24ea0ce458b..6bf40539a75 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 8b069e3c1a0..1d565cd573b 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 26ba3a77642..dd06a4afd03 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 74952e3a18f..abe66200d51 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/14" [rule] diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 2b4a23fccd7..6737a36702c 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 628e5d7b18b..d09a6c4999b 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,8 +2,8 @@ creation_date = "2020/02/18" maturity = "production" updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index ea95c5ac1a0..0b96b4a73a3 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/28" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index c885b93f22c..33f505b2553 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index b5132a60e5b..9dc6e69d9fc 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/30" [rule] diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index 11d4b4be012..8d5303f0907 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 4edc902adbd..e44c0311b5c 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 978d4c730db..6099477b1df 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/18" [rule] diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index b66064a65d2..df2a462b1a2 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 347a288c9bd..7410c30afd9 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index ad708348224..77efaf02ac5 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" [rule] diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 714cab64f8f..4673cb81a27 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/03" [rule] diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 89516e87ebb..02ee6a70d17 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 5b1a36a5433..99b042d3098 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/05/28" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 63ec1b1c9af..59284280762 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" [rule] diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 73cec9c2c32..a045195ed33 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" [rule] diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index b61d1ab8b10..0d6dd9ff6b2 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 840911786f2..86015967896 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 5680002eb5e..54f6b18e09d 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/03/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 5166b5dadbd..8e8af282638 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 9db5ed801ab..b497c9e609c 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/21" [rule] diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index f29e17be027..49a9afadb82 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/21" [rule] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 1cb97983a31..b7d82df7458 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/05/31" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 20bc4c12c74..63256b3e5d3 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/21" [rule] diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 9d82dda6636..02b23c4770b 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/21" [rule] diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 4c0feb42301..03ee77d28b1 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index 8af6b60bb35..41ca23dc570 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/21" [rule] diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index fef327af87d..330fa68d00f 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 1030003c6cd..8d37024d6be 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/06/14" [rule] diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index 3365e23a048..e176e5b0e21 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/21" [rule] diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 1a3ee704624..b09ad56af06 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/03" [rule] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 02fbad45b1c..f21efc26e4f 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/20" [rule] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 842b7e305c8..418761839f2 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/03" [rule] diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 5f123a7abf7..7325ccdfa5d 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index d521f15c766..c54b386257c 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/05/26" [rule] diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 014993e3906..477ff5087bc 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,8 +2,8 @@ creation_date = "2020/02/18" maturity = "production" updated_date = "2022/08/03" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 39e4ec455cc..3172d0bffe1 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index dd406eaeb78..1b3457e25c7 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index a4194430c1d..35a0ac77254 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index f8370250d40..6abab78a0e1 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/30" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index e4cc470138e..0affd13f5cc 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 12a8bab11d2..64a8f8f78d4 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 14e53e6cbc7..a9c40c766a6 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/23" [rule] diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index b2018109329..87720459d6b 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index c40773fa259..3a27b6e8606 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 7ec0e180886..41bfbab79e3 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 1f586ed2bca..3629bdb1345 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index eea8d7e2db9..a34fa00e03d 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 0e1e196bac5..349f0f9801c 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/28" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 1ccfb17e6f3..3c13dd8d3a5 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 8f636125939..592e8baa606 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 2fb99c696bd..0238b3d0cfa 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/30" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/21" [rule] diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index c543dd0a12b..f80512f9c86 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 277f4556a53..20c5c9cb80f 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 9f5aa58613d..55d46f89cff 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index b3b3a3dde93..77366c22c95 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/03" [rule] diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index c10dc9be6f0..7a996ba242c 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/03" [rule] diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 07f355d3640..75a2f7cd31c 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/01" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 78c8dd66cdd..4a8ab2c851a 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 08bd6c26557..f4deebdf24a 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/29" [rule] diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 7ed6ca4d442..6fb85a1e73d 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index a049d324d0f..8c93113a406 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 5aa7db9cf51..a1bbe907135 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 9f6e33d6046..c04148ca91d 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 89d55f8aec3..80d1df89269 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/07/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/03" [rule] diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 8ad0c47c2ba..968c4e26ace 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 636783ea43b..a83f1fb782e 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index b97252ffabf..570fd67094a 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/03/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 170467c5bc6..1b3761ebe00 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/03/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 1fb11a8ec56..2fc04cd2067 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/03/08" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 8af826f0989..e25588d0561 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" [rule] diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 397e53e29fd..79132146e87 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" [rule] diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index ad9b101a045..ac9bb03a73b 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" [rule] diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 634aef78054..a14bf62b55a 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 9f62938589b..30a04aefc61 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/29" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 5610adb230d..67342bd3aa2 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 8b898b011d1..2c3f863df8d 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index b8c2de134bd..b6e0ee6314b 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/01/13" [rule] diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 7abcd80c5fa..8165a1b99cb 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/01/13" [rule] diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index cffda358a40..d91a90cb8ea 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/03/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/14" [rule] diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 39a9850fe8c..ed401ceda8d 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/03" [rule] diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index f2b1052df46..a1bec149a7d 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/07/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/06" [rule] diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index e71d29e9436..b82d50e9dc1 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/04/12" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 7f643135fb6..8110f9dd81c 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/10" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/23" [rule] diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 275db00083c..6c6e98e33f7 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index af720899382..13a1458a6d9 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 9a45277bfc8..867446180ae 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/01/13" [rule] diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 8ec58a7467a..6940e499910 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/01/13" [rule] diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 27cb52548e3..060dc8961fc 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index dc983f7440c..2364f51ac98 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/28" [rule] diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 8aa1a6fe3b6..3ccfebe3168 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/25" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 93a7d6ca72c..95f297c52b9 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/14" [rule] diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 33ce418dad1..11fff298221 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index fde56d87dfc..c325d94850e 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/01" [rule] diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 24fb688d0d2..6b4679510b6 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/06" [rule] diff --git a/rules/windows/lateral_movement_service_control_spawned_script_int.toml b/rules/windows/lateral_movement_service_control_spawned_script_int.toml index 2926e729fd8..52ce460f298 100644 --- a/rules/windows/lateral_movement_service_control_spawned_script_int.toml +++ b/rules/windows/lateral_movement_service_control_spawned_script_int.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index c83e5f1c09b..956b5d36cc0 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 1515fcef4ee..2eba2230a04 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index e69db3deaee..fe844128c0f 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/01/31" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/13" [rule] diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index afeb0fdc611..9dcf32bce56 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index b2a649d7d53..7e0a98157bd 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/09/02" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 3d848d39949..049319a60df 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index b2c73e2ac57..ee3352a007a 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index b3b0f594d49..4cabb99403b 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/02/22" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/23" [rule] diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 3825fa432a7..c6066a6a7e1 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 359ee3b4022..967a5a347c1 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,8 +2,8 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2022/08/17" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 33756adcc8f..18e208296d3 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/03/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 4ec2dfca6de..bbb900b3e19 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 560c30f21de..7c3afd664e2 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/03/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 3abb7cd7c5f..d0ca39fd8f6 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/04" [rule] diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index c18d24c6fb0..866f3eb3fff 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/29" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 1133fb27ca8..989e5f7508c 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/16" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 059c908b70f..9174555f7bf 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 7711fd21528..39d559be4d2 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/01/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/13" [rule] diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 1db8061ae64..8bc2685b15a 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/20" [rule] diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 0a055ef4c41..7b1821f35b6 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 9dcc445b97f..17b49798185 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,8 +2,8 @@ creation_date = "2020/11/18" maturity = "production" updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index f09f1290c9f..67c1ee193e9 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 28051d02a1d..c4daa6d5735 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,8 +2,8 @@ creation_date = "2020/11/18" maturity = "production" updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 69a428737f6..534cfbcf714 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2021/03/03" [rule] diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index 3d49f5d7760..63e672db709 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/02/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/06/03" [rule] diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 06ecd712bcf..9b663a5f73a 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/14" [rule] diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index a36c9a58431..c3625b82da1 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 80e81892e4a..2d15191c445 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/29" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/17" [rule] diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 4ca25716ead..c6124f1d59d 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 53ce2d3d094..799fb6bc439 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 18f8d8db489..05f84155fbe 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 7571849916d..67ee7822909 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/09" [rule] diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 9315c24f122..893a1f363a8 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/14" [rule] diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index f92ac6ca93a..7b8d6de9c58 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 09aa535f6ca..75c325afc21 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/28" [rule] diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index a4d154837cd..3d14692190e 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/09" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index ea713ca4d0b..4c6f4250ca7 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 355869f2736..11b3b5aa225 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 84f48f3f82e..a360f861bc6 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/12/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 60d217ff9d0..31b0e440c5f 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 6ae20021702..50417fc7ac8 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 6fc02c63764..e04a4a84c60 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index dc0524bd662..4e95736ae88 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/03" [rule] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index e4549f5bd51..181a4387d99 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/12/04" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index 69663f8c90c..f21e67f6bef 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/03/15" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/14" [rule] diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index f35db5c3212..065e8152294 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/08/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index cf600e0a3da..570310780d3 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/20" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index afbc05d7412..21c810079f3 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/11/08" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index b56a7fcaf22..d044001f36f 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/11/08" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/02" [rule] diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 82f314a47d3..81d21519ea3 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/11/08" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index faeb8989ef6..5c7cbf40d9e 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/11/25" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/09" [rule] diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index b2fbedc4d24..9f532617de4 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/04/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/27" [rule] diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 0d33aa97997..541986e1408 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/14" [rule] diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 8ef1ebecc7c..33b5bb1844a 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/23" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 1d47d7423ed..a7e65b8c2fa 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/01/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/02" [rule] diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index bbc327c47e1..61fa1965a4b 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/01/21" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/14" [rule] diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 2a73658996d..9016be078e9 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/26" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/14" [rule] diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index b444af272e8..3b1f33d606e 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 4952c61bdf0..8146a5282f8 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/07/06" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/20" [rule] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index af56fb238eb..3955f8442b6 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 791707ea03a..7808208c2b9 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/26" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/14" [rule] diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 8d32b434265..4c4f5c2b68b 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/12/12" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/13" [rule] diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index e773941b6f3..4d7bc7dda2c 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/05/11" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/05/11" [rule] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 70a509e6e30..f2e360f19b6 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/28" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index e02bb7e9625..a9950da63c7 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/11/03" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index d1dfe81dbeb..492115481ca 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/19" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index ee62820a9f0..4023da9f8b1 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 3dc01cfe071..b99c4a55364 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/27" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index e2bec86f947..3f5ea8c07c7 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/03/17" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" [rule] diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 7ebe8c35ea4..db91bec7b71 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/26" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" [rule] diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 68ea244d1b7..025be0739ba 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/14" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/22" [rule] diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index ee4a4b19fd8..25a470e2eab 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/07/05" [rule] diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 5d80bc7104f..7a8ff0c18ad 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/07/06" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/04/20" [rule] diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index b2bfcc6f007..8c705c4bd9b 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2020/10/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/08/01" [rule] diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 03e0c4740a7..b9d469dbd70 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2021/10/13" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/03/31" [rule] diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 4f186739ddb..4d4b5eca212 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -1,6 +1,8 @@ [metadata] creation_date = "2022/02/07" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" updated_date = "2022/02/07" [rule] From cc66dcbf28a025e2801ef4883dccf0e18eefed0d Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Wed, 24 Aug 2022 11:10:40 -0400 Subject: [PATCH 2/2] bump date --- rules/apm/apm_403_response_to_a_post.toml | 2 +- .../apm_405_response_method_not_allowed.toml | 2 +- rules/apm/apm_null_user_agent.toml | 2 +- rules/apm/apm_sqlmap_user_agent.toml | 2 +- ...s_cookies_chromium_browsers_debugging.toml | 2 +- ..._evasion_agent_spoofing_mismatched_id.toml | 2 +- ...evasion_agent_spoofing_multiple_hosts.toml | 2 +- ...e_evasion_deleting_websvr_access_logs.toml | 2 +- ...deletion_of_bash_command_line_history.toml | 2 +- ...sion_elastic_agent_service_terminated.toml | 8 ++--- .../defense_evasion_timestomp_touch.toml | 2 +- .../discovery_security_software_grep.toml | 2 +- ...y_virtual_machine_fingerprinting_grep.toml | 2 +- ...on_pentest_eggshell_remote_admin_tool.toml | 2 +- .../execution_python_script_in_cmdline.toml | 2 +- .../execution_revershell_via_shell_cmd.toml | 2 +- ...xecution_suspicious_jar_child_process.toml | 2 +- ...tion_suspicious_java_netcon_childproc.toml | 2 +- .../impact_hosts_file_modified.toml | 2 +- ..._access_zoom_meeting_with_no_passcode.toml | 2 +- ...l_access_modify_auth_module_or_config.toml | 24 ++++++------- ...ersistence_shell_profile_modification.toml | 2 +- ...ence_ssh_authorized_keys_modification.toml | 20 +++++------ ...lege_escalation_echo_nopasswd_sudoers.toml | 2 +- ...ation_setuid_setgid_bit_set_via_chmod.toml | 2 +- ...ilege_escalation_sudo_buffer_overflow.toml | 2 +- ...privilege_escalation_sudoers_file_mod.toml | 2 +- .../threat_intel_filebeat8x.toml | 2 +- .../threat_intel_fleet_integrations.toml | 2 +- ...collection_cloudtrail_logging_created.toml | 2 +- ...ccess_aws_iam_assume_role_brute_force.toml | 2 +- ...ial_access_iam_user_addition_to_group.toml | 2 +- ...cess_root_console_failure_brute_force.toml | 2 +- ..._access_secretsmanager_getsecretvalue.toml | 2 +- ...se_evasion_cloudtrail_logging_deleted.toml | 2 +- ..._evasion_cloudtrail_logging_suspended.toml | 2 +- ...nse_evasion_cloudwatch_alarm_deletion.toml | 2 +- ..._evasion_config_service_rule_deletion.toml | 2 +- ...vasion_configuration_recorder_stopped.toml | 2 +- ...defense_evasion_ec2_flow_log_deletion.toml | 2 +- ...ense_evasion_ec2_network_acl_deletion.toml | 2 +- ...n_elasticache_security_group_creation.toml | 2 +- ...he_security_group_modified_or_deleted.toml | 2 +- ...e_evasion_guardduty_detector_deletion.toml | 2 +- ...sion_s3_bucket_configuration_deletion.toml | 2 +- .../aws/defense_evasion_waf_acl_deletion.toml | 2 +- ...asion_waf_rule_or_rule_group_deletion.toml | 2 +- ..._full_network_packet_capture_detected.toml | 2 +- ...ltration_ec2_snapshot_change_activity.toml | 2 +- .../exfiltration_ec2_vm_export_failure.toml | 2 +- .../aws/exfiltration_rds_snapshot_export.toml | 2 +- .../exfiltration_rds_snapshot_restored.toml | 2 +- ..._eventbridge_rule_disabled_or_deleted.toml | 2 +- .../impact_cloudtrail_logging_updated.toml | 2 +- .../impact_cloudwatch_log_group_deletion.toml | 2 +- ...impact_cloudwatch_log_stream_deletion.toml | 2 +- .../impact_ec2_disable_ebs_encryption.toml | 2 +- ...mpact_efs_filesystem_or_mount_deleted.toml | 2 +- .../aws/impact_iam_deactivate_mfa_device.toml | 2 +- .../aws/impact_iam_group_deletion.toml | 2 +- .../aws/impact_rds_group_deletion.toml | 2 +- .../impact_rds_instance_cluster_deletion.toml | 2 +- .../impact_rds_instance_cluster_stoppage.toml | 2 +- .../initial_access_console_login_root.toml | 2 +- .../aws/initial_access_password_recovery.toml | 2 +- .../initial_access_via_system_manager.toml | 2 +- .../ml_cloudtrail_error_message_spike.toml | 2 +- .../aws/ml_cloudtrail_rare_error_code.toml | 2 +- .../ml_cloudtrail_rare_method_by_city.toml | 4 +-- .../ml_cloudtrail_rare_method_by_country.toml | 4 +-- .../ml_cloudtrail_rare_method_by_user.toml | 4 +-- .../persistence_ec2_network_acl_creation.toml | 2 +- ..._group_configuration_change_detection.toml | 2 +- .../aws/persistence_iam_group_creation.toml | 2 +- .../aws/persistence_rds_cluster_creation.toml | 2 +- .../aws/persistence_rds_group_creation.toml | 2 +- .../persistence_rds_instance_creation.toml | 2 +- ...ersistence_redshift_instance_creation.toml | 2 +- ...oute_53_domain_transfer_lock_disabled.toml | 2 +- ...domain_transferred_to_another_account.toml | 2 +- ..._53_hosted_zone_associated_with_a_vpc.toml | 2 +- .../aws/persistence_route_table_created.toml | 2 +- ...tence_route_table_modified_or_deleted.toml | 2 +- ...calation_aws_suspicious_saml_activity.toml | 2 +- ...ege_escalation_root_login_without_mfa.toml | 4 +-- ...ilege_escalation_sts_assumerole_usage.toml | 2 +- ..._escalation_sts_getsessiontoken_abuse.toml | 2 +- ...ege_escalation_updateassumerolepolicy.toml | 2 +- ...collection_update_event_hub_auth_rule.toml | 2 +- ..._full_network_packet_capture_detected.toml | 2 +- .../credential_access_key_vault_modified.toml | 2 +- ...ccess_storage_account_key_regenerated.toml | 2 +- ...e_application_credential_modification.toml | 2 +- ...sion_azure_automation_runbook_deleted.toml | 4 +-- ...asion_azure_blob_permissions_modified.toml | 2 +- ...on_azure_diagnostic_settings_deletion.toml | 2 +- ...sion_azure_service_principal_addition.toml | 2 +- .../defense_evasion_event_hub_deletion.toml | 2 +- ...ense_evasion_firewall_policy_deletion.toml | 2 +- ...on_frontdoor_firewall_policy_deletion.toml | 2 +- ...nse_evasion_kubernetes_events_deleted.toml | 2 +- ...ense_evasion_network_watcher_deletion.toml | 2 +- ...ense_evasion_suppression_rule_created.toml | 2 +- .../discovery_blob_container_access_mod.toml | 2 +- .../execution_command_virtual_machine.toml | 2 +- ...e_service_principal_credentials_added.toml | 2 +- .../azure/impact_kubernetes_pod_deleted.toml | 2 +- .../azure/impact_resource_group_deletion.toml | 2 +- ...mpact_virtual_network_device_modified.toml | 2 +- ...ure_active_directory_high_risk_signin.toml | 4 +-- ..._high_risk_signin_atrisk_or_confirmed.toml | 4 +-- ...re_active_directory_powershell_signin.toml | 2 +- ...tack_via_azure_registered_application.toml | 4 +-- ...ial_access_external_guest_user_invite.toml | 2 +- ...ence_azure_automation_account_created.toml | 2 +- ...utomation_runbook_created_or_modified.toml | 2 +- ...ence_azure_automation_webhook_created.toml | 2 +- ...re_conditional_access_policy_modified.toml | 2 +- ...re_global_administrator_role_assigned.toml | 2 +- ...nce_azure_pim_user_added_global_admin.toml | 2 +- ...ged_identity_management_role_modified.toml | 6 ++-- ...rsistence_mfa_disabled_for_azure_user.toml | 2 +- ..._added_as_owner_for_azure_application.toml | 2 +- ..._as_owner_for_azure_service_principal.toml | 2 +- ..._azure_kubernetes_rolebinding_created.toml | 2 +- ...berarkpas_error_audit_event_promotion.toml | 2 +- ...commended_events_to_monitor_promotion.toml | 2 +- .../endpoint/elastic_endpoint_security.toml | 2 +- ...ion_gcp_pub_sub_subscription_creation.toml | 2 +- ...collection_gcp_pub_sub_topic_creation.toml | 2 +- ...nse_evasion_gcp_firewall_rule_created.toml | 2 +- ...nse_evasion_gcp_firewall_rule_deleted.toml | 2 +- ...se_evasion_gcp_firewall_rule_modified.toml | 2 +- ...e_evasion_gcp_logging_bucket_deletion.toml | 2 +- ...nse_evasion_gcp_logging_sink_deletion.toml | 2 +- ...ion_gcp_pub_sub_subscription_deletion.toml | 2 +- ...se_evasion_gcp_pub_sub_topic_deletion.toml | 2 +- ...storage_bucket_configuration_modified.toml | 2 +- ...p_storage_bucket_permissions_modified.toml | 2 +- ...virtual_private_cloud_network_deleted.toml | 2 +- ...p_virtual_private_cloud_route_created.toml | 2 +- ...p_virtual_private_cloud_route_deleted.toml | 2 +- ...tration_gcp_logging_sink_modification.toml | 2 +- .../gcp/impact_gcp_iam_role_deletion.toml | 2 +- .../impact_gcp_service_account_deleted.toml | 2 +- .../impact_gcp_service_account_disabled.toml | 2 +- .../impact_gcp_storage_bucket_deleted.toml | 2 +- ...l_access_gcp_iam_custom_role_creation.toml | 2 +- ..._gcp_iam_service_account_key_deletion.toml | 2 +- ...e_gcp_key_created_for_service_account.toml | 2 +- ...rsistence_gcp_service_account_created.toml | 2 +- ...netes_rolebindings_created_or_patched.toml | 2 +- ...d_to_google_workspace_trusted_domains.toml | 2 +- ..._google_workspace_admin_role_deletion.toml | 2 +- ...le_workspace_mfa_enforcement_disabled.toml | 2 +- ...tion_added_to_google_workspace_domain.toml | 2 +- ...workspace_admin_role_assigned_to_user.toml | 2 +- ...a_domain_wide_delegation_of_authority.toml | 2 +- ...e_workspace_custom_admin_role_created.toml | 2 +- ...ence_google_workspace_policy_modified.toml | 2 +- ...stence_google_workspace_role_modified.toml | 2 +- ...led_for_google_workspace_organization.toml | 2 +- ...covery_suspicious_self_subject_review.toml | 6 ++-- .../execution_user_exec_to_pod.toml | 4 +-- ...ed_service_created_with_type_nodeport.toml | 2 +- ...e_escalation_pod_created_with_hostipc.toml | 2 +- ...calation_pod_created_with_hostnetwork.toml | 2 +- ...e_escalation_pod_created_with_hostpid.toml | 2 +- ...created_with_sensitive_hospath_volume.toml | 6 ++-- ...ege_escalation_privileged_pod_created.toml | 2 +- ...llection_microsoft_365_new_inbox_rule.toml | 2 +- ..._365_brute_force_user_account_attempt.toml | 2 +- ...65_potential_password_spraying_attack.toml | 2 +- ...ccess_user_excessive_sso_logon_errors.toml | 2 +- ...osoft_365_exchange_dlp_policy_removed.toml | 2 +- ...change_malware_filter_policy_deletion.toml | 2 +- ..._365_exchange_malware_filter_rule_mod.toml | 2 +- ...65_exchange_safe_attach_rule_disabled.toml | 2 +- ...oft_365_mailboxauditbypassassociation.toml | 2 +- ..._365_exchange_transport_rule_creation.toml | 2 +- ...osoft_365_exchange_transport_rule_mod.toml | 2 +- ...ft_365_mass_download_by_a_single_user.toml | 2 +- ...oft_365_potential_ransomware_activity.toml | 2 +- ...t_365_unusual_volume_of_file_deletion.toml | 2 +- ...5_exchange_anti_phish_policy_deletion.toml | 2 +- ...soft_365_exchange_anti_phish_rule_mod.toml | 2 +- ...osoft_365_exchange_safelinks_disabled.toml | 2 +- ...rosoft_365_impossible_travel_activity.toml | 2 +- ...65_user_restricted_from_sending_email.toml | 2 +- ...cess_o365_user_reported_phish_malware.toml | 2 +- ...al_movement_malware_uploaded_onedrive.toml | 2 +- ..._movement_malware_uploaded_sharepoint.toml | 2 +- ...e_suspicious_mailbox_right_delegation.toml | 2 +- ...exchange_dkim_signing_config_disabled.toml | 2 +- ...5_exchange_management_role_assignment.toml | 2 +- ..._365_global_administrator_role_assign.toml | 2 +- ..._teams_custom_app_interaction_allowed.toml | 2 +- ...oft_365_teams_external_access_enabled.toml | 2 +- ...rosoft_365_teams_guest_access_enabled.toml | 2 +- ...ion_new_or_modified_federation_domain.toml | 2 +- ...l_access_attempted_bypass_of_okta_mfa.toml | 2 +- ...mpts_to_brute_force_okta_user_account.toml | 2 +- ...redential_access_mfa_push_brute_force.toml | 2 +- ...okta_brute_force_or_password_spraying.toml | 2 +- ...tial_access_user_impersonation_access.toml | 2 +- ...tempt_to_deactivate_okta_network_zone.toml | 2 +- ...n_attempt_to_delete_okta_network_zone.toml | 2 +- ...kta_attempt_to_deactivate_okta_policy.toml | 2 +- ...ttempt_to_deactivate_okta_policy_rule.toml | 2 +- ...on_okta_attempt_to_delete_okta_policy.toml | 2 +- ...ta_attempt_to_delete_okta_policy_rule.toml | 2 +- ...a_attempt_to_modify_okta_network_zone.toml | 2 +- ...on_okta_attempt_to_modify_okta_policy.toml | 2 +- ...ta_attempt_to_modify_okta_policy_rule.toml | 2 +- ...ser_password_reset_or_unlock_attempts.toml | 2 +- ...pact_attempt_to_revoke_okta_api_token.toml | 2 +- ...ttempt_to_deactivate_okta_application.toml | 2 +- ...ta_attempt_to_delete_okta_application.toml | 2 +- ...ta_attempt_to_modify_okta_application.toml | 2 +- .../okta/impact_possible_okta_dos_attack.toml | 2 +- ...ta_user_attempted_unauthorized_access.toml | 2 +- ...icious_activity_reported_by_okta_user.toml | 2 +- ...threat_detected_by_okta_threatinsight.toml | 2 +- ...tor_privileges_assigned_to_okta_group.toml | 2 +- ...inistrator_role_assigned_to_okta_user.toml | 2 +- ...ence_attempt_to_create_okta_api_token.toml | 2 +- ..._deactivate_mfa_for_okta_user_account.toml | 2 +- ...set_mfa_factors_for_okta_user_account.toml | 2 +- ..._or_delete_application_sign_on_policy.toml | 2 +- ...ction_attempt_by_non_ssh_root_session.toml | 4 +-- ...and_and_control_linux_iodine_activity.toml | 2 +- ...d_and_control_tunneling_via_earthworm.toml | 2 +- ...ial_access_collection_sensitive_files.toml | 2 +- .../credential_access_ssh_backdoor_log.toml | 2 +- ...ion_attempt_to_disable_syslog_service.toml | 2 +- ..._base32_encoding_or_decoding_activity.toml | 2 +- ...defense_evasion_chattr_immutable_file.toml | 2 +- ...fense_evasion_disable_selinux_attempt.toml | 2 +- ...fense_evasion_file_deletion_via_shred.toml | 2 +- ...defense_evasion_file_mod_writable_dir.toml | 2 +- .../defense_evasion_hidden_file_dir_tmp.toml | 2 +- .../defense_evasion_hidden_shared_object.toml | 4 +-- ...defense_evasion_kernel_module_removal.toml | 2 +- .../defense_evasion_log_files_deleted.toml | 2 +- .../discovery_kernel_module_enumeration.toml | 2 +- .../linux/discovery_linux_hping_activity.toml | 2 +- .../linux/discovery_linux_nping_activity.toml | 2 +- ...covery_virtual_machine_fingerprinting.toml | 2 +- ...tion_abnormal_process_id_file_created.toml | 2 +- ...ution_linux_netcat_network_connection.toml | 2 +- rules/linux/execution_perl_tty_shell.toml | 2 +- ..._process_started_from_process_id_file.toml | 2 +- ...ss_started_in_shared_memory_directory.toml | 6 ++-- rules/linux/execution_python_tty_shell.toml | 4 +-- .../execution_shell_evasion_linux_binary.toml | 2 +- rules/linux/execution_tc_bpf_filter.toml | 2 +- .../linux/impact_process_kill_threshold.toml | 2 +- ...ment_telnet_network_activity_external.toml | 2 +- ...ment_telnet_network_activity_internal.toml | 2 +- .../persistence_chkconfig_service_add.toml | 6 ++-- ...credential_access_modify_ssh_binaries.toml | 2 +- .../persistence_dynamic_linker_backup.toml | 2 +- .../linux/persistence_etc_file_creation.toml | 4 +-- ...persistence_insmod_kernel_module_load.toml | 4 +-- ...ersistence_kde_autostart_modification.toml | 2 +- ...sistence_shell_activity_by_web_server.toml | 2 +- ...lation_ld_preload_shared_object_modif.toml | 2 +- ...vilege_escalation_pkexec_envar_hijack.toml | 2 +- ...ccess_to_browser_credentials_procargs.toml | 2 +- ...edential_access_credentials_keychains.toml | 2 +- ...dential_access_dumping_hashes_bi_cmds.toml | 2 +- ...tial_access_dumping_keychain_security.toml | 2 +- .../credential_access_kerberosdump_kcc.toml | 2 +- ...s_keychain_pwd_retrieval_security_cmd.toml | 2 +- ...ential_access_mitm_localhost_webproxy.toml | 2 +- ...ntial_access_potential_ssh_bruteforce.toml | 2 +- ...al_access_promt_for_pwd_via_osascript.toml | 2 +- .../credential_access_systemkey_dumping.toml | 2 +- ...vasion_apple_softupdates_modification.toml | 4 +-- ...evasion_attempt_del_quarantine_attrib.toml | 2 +- ...evasion_attempt_to_disable_gatekeeper.toml | 4 +-- ...ense_evasion_install_root_certificate.toml | 2 +- ..._evasion_modify_environment_launchctl.toml | 2 +- ...cy_controls_tcc_database_modification.toml | 2 +- ...tion_privacy_pref_sshd_fulldiskaccess.toml | 2 +- .../defense_evasion_safari_config_change.toml | 2 +- ...dboxed_office_app_suspicious_zip_file.toml | 2 +- ...vasion_tcc_bypass_mounted_apfs_access.toml | 2 +- ..._evasion_unload_endpointsecurity_kext.toml | 2 +- ...covery_users_domain_built_in_commands.toml | 2 +- ...vasion_electron_app_childproc_node_js.toml | 2 +- ...l_access_suspicious_browser_childproc.toml | 2 +- ...staller_package_spawned_network_event.toml | 10 +++--- ...cution_script_via_automator_workflows.toml | 2 +- ...ing_osascript_exec_followed_by_netcon.toml | 2 +- ...n_shell_execution_via_apple_scripting.toml | 2 +- ...uspicious_mac_ms_office_child_process.toml | 36 +++++++++---------- ...ential_access_kerberos_bifrostconsole.toml | 4 +-- .../lateral_movement_mounting_smb_share.toml | 2 +- ...ral_movement_remote_ssh_login_enabled.toml | 2 +- ...teral_movement_vpn_connection_attempt.toml | 2 +- ...stence_account_creation_hide_at_logon.toml | 2 +- ...ce_creation_change_launch_agents_file.toml | 4 +-- ..._creation_hidden_login_item_osascript.toml | 2 +- ...creation_modif_launch_deamon_sequence.toml | 2 +- ..._access_authorization_plugin_creation.toml | 2 +- rules/macos/persistence_crontab_creation.toml | 4 +-- ...launch_agent_deamon_logonitem_process.toml | 2 +- ...rectory_services_plugins_modification.toml | 2 +- ...e_docker_shortcuts_plist_modification.toml | 6 ++-- ...persistence_emond_rules_file_creation.toml | 2 +- ...istence_emond_rules_process_execution.toml | 2 +- .../persistence_enable_root_account.toml | 2 +- ...n_hidden_launch_agent_deamon_creation.toml | 2 +- ...sistence_finder_sync_plugin_pluginkit.toml | 2 +- ...istence_folder_action_scripts_runtime.toml | 2 +- ...rsistence_login_logout_hooks_defaults.toml | 2 +- ...stence_loginwindow_plist_modification.toml | 2 +- ...fication_sublime_app_plugin_or_script.toml | 2 +- ...ersistence_periodic_tasks_file_mdofiy.toml | 2 +- ...saver_engine_unexpected_child_process.toml | 2 +- ...e_screensaver_plist_file_modification.toml | 2 +- ...ence_suspicious_calendar_modification.toml | 2 +- ...tence_via_atom_init_file_modification.toml | 2 +- ...calation_applescript_with_admin_privs.toml | 2 +- ...calation_explicit_creds_via_scripting.toml | 2 +- ...alation_exploit_adobe_acrobat_updater.toml | 2 +- ..._escalation_local_user_added_to_admin.toml | 2 +- ...ilege_escalation_root_crontab_filemod.toml | 2 +- ...d_control_ml_packetbeat_dns_tunneling.toml | 2 +- ...ntrol_ml_packetbeat_rare_dns_question.toml | 2 +- ...d_and_control_ml_packetbeat_rare_urls.toml | 2 +- ...control_ml_packetbeat_rare_user_agent.toml | 2 +- ..._ml_auth_spike_in_failed_logon_events.toml | 2 +- ..._access_ml_auth_spike_in_logon_events.toml | 2 +- ...pike_in_logon_events_from_a_source_ip.toml | 2 +- ...s_ml_linux_anomalous_metadata_process.toml | 2 +- ...cess_ml_linux_anomalous_metadata_user.toml | 2 +- ...l_access_ml_suspicious_login_activity.toml | 2 +- ...ml_windows_anomalous_metadata_process.toml | 2 +- ...ss_ml_windows_anomalous_metadata_user.toml | 2 +- ...ml_linux_system_information_discovery.toml | 2 +- ...ystem_network_configuration_discovery.toml | 2 +- ...x_system_network_connection_discovery.toml | 2 +- ...ery_ml_linux_system_process_discovery.toml | 2 +- ...covery_ml_linux_system_user_discovery.toml | 2 +- ...execution_ml_windows_anomalous_script.toml | 2 +- ...ml_auth_rare_hour_for_a_user_to_logon.toml | 2 +- ...ess_ml_auth_rare_source_ip_for_a_user.toml | 2 +- ...nitial_access_ml_auth_rare_user_logon.toml | 2 +- ...l_access_ml_linux_anomalous_user_name.toml | 2 +- ...access_ml_windows_anomalous_user_name.toml | 2 +- ...windows_rare_user_type10_remote_login.toml | 2 +- rules/ml/ml_high_count_network_denies.toml | 12 +++---- rules/ml/ml_high_count_network_events.toml | 12 +++---- .../ml_linux_anomalous_network_activity.toml | 2 +- ...linux_anomalous_network_port_activity.toml | 2 +- .../ml/ml_packetbeat_rare_server_domain.toml | 2 +- rules/ml/ml_rare_destination_country.toml | 22 ++++++------ .../ml/ml_spike_in_traffic_to_a_country.toml | 20 +++++------ ...ml_windows_anomalous_network_activity.toml | 2 +- ..._ml_linux_anomalous_process_all_hosts.toml | 2 +- ...istence_ml_rare_process_by_host_linux.toml | 2 +- ...tence_ml_rare_process_by_host_windows.toml | 2 +- ...ce_ml_windows_anomalous_path_activity.toml | 2 +- ...l_windows_anomalous_process_all_hosts.toml | 2 +- ...ml_windows_anomalous_process_creation.toml | 2 +- ...sistence_ml_windows_anomalous_service.toml | 2 +- ...tion_ml_linux_anomalous_sudo_activity.toml | 2 +- ...tion_ml_windows_rare_user_runas_event.toml | 2 +- ..._ml_linux_anomalous_compiler_activity.toml | 2 +- ...mand_and_control_cobalt_strike_beacon.toml | 2 +- ...cobalt_strike_default_teamserver_cert.toml | 2 +- ...download_rar_powershell_from_internet.toml | 2 +- .../command_and_control_fin7_c2_behavior.toml | 2 +- .../command_and_control_halfbaked_beacon.toml | 2 +- ...d_control_nat_traversal_port_activity.toml | 2 +- .../command_and_control_port_26_activity.toml | 2 +- ...te_desktop_protocol_from_the_internet.toml | 2 +- ...mand_and_control_telnet_port_activity.toml | 2 +- ...l_network_computing_from_the_internet.toml | 2 +- ...ual_network_computing_to_the_internet.toml | 2 +- ...mote_procedure_call_from_the_internet.toml | 2 +- ...remote_procedure_call_to_the_internet.toml | 2 +- ...file_sharing_activity_to_the_internet.toml | 2 +- ...al_access_unsecure_elasticsearch_node.toml | 2 +- ..._access_endgame_cred_dumping_detected.toml | 2 +- ...access_endgame_cred_dumping_prevented.toml | 2 +- .../endgame_adversary_behavior_detected.toml | 2 +- .../promotions/endgame_malware_detected.toml | 2 +- .../promotions/endgame_malware_prevented.toml | 2 +- .../endgame_ransomware_detected.toml | 2 +- .../endgame_ransomware_prevented.toml | 2 +- .../execution_endgame_exploit_detected.toml | 2 +- .../execution_endgame_exploit_prevented.toml | 2 +- rules/promotions/external_alerts.toml | 2 +- ...on_endgame_cred_manipulation_detected.toml | 2 +- ...n_endgame_cred_manipulation_prevented.toml | 2 +- ...ion_endgame_permission_theft_detected.toml | 2 +- ...on_endgame_permission_theft_prevented.toml | 2 +- ...on_endgame_process_injection_detected.toml | 2 +- ...n_endgame_process_injection_prevented.toml | 2 +- ...ion_email_powershell_exchange_mailbox.toml | 2 +- .../collection_posh_audio_capture.toml | 2 +- rules/windows/collection_posh_keylogger.toml | 2 +- .../collection_posh_screen_grabber.toml | 2 +- .../windows/collection_winrar_encryption.toml | 2 +- ...d_control_certutil_network_connection.toml | 2 +- ...ommand_and_control_common_webservices.toml | 2 +- ...nd_and_control_dns_tunneling_nslookup.toml | 2 +- ...control_encrypted_channel_freesslcert.toml | 2 +- .../command_and_control_iexplore_via_com.toml | 2 +- ...ontrol_port_forwarding_added_registry.toml | 2 +- .../command_and_control_rdp_tunnel_plink.toml | 2 +- ...ol_remote_file_copy_desktopimgdownldr.toml | 2 +- ...and_control_remote_file_copy_mpcmdrun.toml | 2 +- ...d_control_remote_file_copy_powershell.toml | 6 ++-- ..._and_control_remote_file_copy_scripts.toml | 2 +- ...control_sunburst_c2_activity_detected.toml | 2 +- ...d_control_teamviewer_remote_file_copy.toml | 2 +- .../credential_access_cmdline_dump_tool.toml | 4 +-- ...ess_copy_ntds_sam_volshadowcp_cmdline.toml | 2 +- ...ial_access_credential_dumping_msbuild.toml | 4 +-- ...tial_access_dcsync_replication_rights.toml | 2 +- ...ntial_access_disable_kerberos_preauth.toml | 2 +- ...cess_domain_backup_dpapi_private_keys.toml | 2 +- ...credential_access_dump_registry_hives.toml | 2 +- ...ntial_access_iis_apppoolsa_pwd_appcmd.toml | 2 +- ..._access_iis_connectionstrings_dumping.toml | 2 +- ..._access_kerberoasting_unusual_process.toml | 2 +- ...l_access_lsass_handle_via_malseclogon.toml | 2 +- ...ial_access_lsass_memdump_file_created.toml | 2 +- ...al_access_lsass_memdump_handle_access.toml | 2 +- ...l_access_mimikatz_memssp_default_logs.toml | 2 +- ...ial_access_mimikatz_powershell_module.toml | 2 +- ..._access_mod_wdigest_security_provider.toml | 2 +- ...l_access_moving_registry_hive_via_smb.toml | 2 +- ...e_network_logon_provider_modification.toml | 2 +- .../credential_access_posh_minidump.toml | 2 +- ...credential_access_posh_request_ticket.toml | 2 +- ..._potential_lsa_memdump_via_mirrordump.toml | 2 +- ...cess_relay_ntlm_auth_via_http_spoolss.toml | 8 ++--- ...dential_access_remote_sam_secretsdump.toml | 2 +- ...redential_access_saved_creds_vaultcmd.toml | 2 +- ...edelegationprivilege_assigned_to_user.toml | 2 +- .../credential_access_shadow_credentials.toml | 2 +- ...dential_access_spn_attribute_modified.toml | 2 +- ...l_access_suspicious_comsvcs_imageload.toml | 2 +- ...ccess_suspicious_lsass_access_memdump.toml | 2 +- ..._suspicious_lsass_access_via_snapshot.toml | 2 +- ...cious_winreg_access_via_sebackup_priv.toml | 4 +-- ..._symbolic_link_to_shadow_copy_created.toml | 2 +- ...ess_via_snapshot_lsass_clone_creation.toml | 2 +- ...den_file_attribute_with_via_attribexe.toml | 2 +- .../defense_evasion_amsienable_key_mod.toml | 2 +- ...sion_clearing_windows_console_history.toml | 2 +- ...e_evasion_clearing_windows_event_logs.toml | 2 +- ...vasion_clearing_windows_security_logs.toml | 2 +- ...e_evasion_create_mod_root_certificate.toml | 2 +- .../defense_evasion_cve_2020_0601.toml | 2 +- ...vasion_defender_disabled_via_registry.toml | 2 +- ...ion_defender_exclusion_via_powershell.toml | 2 +- ...delete_volume_usn_journal_with_fsutil.toml | 2 +- ...asion_disable_posh_scriptblocklogging.toml | 2 +- ...ble_windows_firewall_rules_with_netsh.toml | 2 +- ...disabling_windows_defender_powershell.toml | 2 +- ...efense_evasion_disabling_windows_logs.toml | 2 +- ...efense_evasion_dns_over_https_enabled.toml | 2 +- ...vasion_dotnet_compiler_parent_process.toml | 2 +- ...evasion_enable_inbound_rdp_with_netsh.toml | 2 +- ...n_enable_network_discovery_with_netsh.toml | 2 +- ...ecution_control_panel_suspicious_args.toml | 2 +- ...ense_evasion_execution_lolbas_wuauclt.toml | 2 +- ...ecution_msbuild_started_by_office_app.toml | 6 ++-- ...n_execution_msbuild_started_by_script.toml | 2 +- ...ion_msbuild_started_by_system_process.toml | 2 +- ...ion_execution_msbuild_started_renamed.toml | 2 +- ...cution_msbuild_started_unusal_process.toml | 2 +- ...execution_suspicious_explorer_winword.toml | 2 +- ...sion_execution_windefend_unusual_path.toml | 2 +- ..._evasion_file_creation_mult_extension.toml | 2 +- ...efense_evasion_from_unusual_directory.toml | 2 +- ...sion_hide_encoded_executable_registry.toml | 2 +- ...ense_evasion_iis_httplogging_disabled.toml | 2 +- .../defense_evasion_injection_msbuild.toml | 2 +- .../defense_evasion_installutil_beacon.toml | 2 +- ...querading_as_elastic_endpoint_process.toml | 2 +- ...e_evasion_masquerading_renamed_autoit.toml | 2 +- ...erading_suspicious_werfault_childproc.toml | 2 +- ...vasion_masquerading_trusted_directory.toml | 2 +- ...defense_evasion_masquerading_werfault.toml | 2 +- ..._evasion_microsoft_defender_tampering.toml | 2 +- ...isc_lolbin_connecting_to_the_internet.toml | 2 +- ...e_evasion_ms_office_suspicious_regmod.toml | 2 +- ...fense_evasion_msbuild_beacon_sequence.toml | 2 +- ...on_msbuild_making_network_connections.toml | 2 +- .../windows/defense_evasion_mshta_beacon.toml | 2 +- .../windows/defense_evasion_msxsl_beacon.toml | 2 +- .../defense_evasion_msxsl_network.toml | 2 +- ...etwork_connection_from_windows_binary.toml | 2 +- ...e_evasion_parent_process_pid_spoofing.toml | 4 +-- .../defense_evasion_posh_assembly_load.toml | 2 +- .../defense_evasion_posh_compressed.toml | 2 +- ...efense_evasion_posh_process_injection.toml | 2 +- ...evasion_potential_processherpaderping.toml | 2 +- ..._powershell_windows_firewall_disabled.toml | 2 +- ...cess_termination_followed_by_deletion.toml | 4 +-- ...ense_evasion_proxy_execution_via_msdt.toml | 2 +- ...defense_evasion_rundll32_no_arguments.toml | 2 +- ...ion_scheduledjobs_at_protocol_enabled.toml | 2 +- ..._evasion_sdelete_like_filename_rename.toml | 2 +- .../defense_evasion_sip_provider_mod.toml | 2 +- ...ackdoor_service_disabled_via_registry.toml | 2 +- ..._evasion_suspicious_certutil_commands.toml | 2 +- ...picious_execution_from_mounted_device.toml | 2 +- ...n_suspicious_managedcode_host_process.toml | 4 +-- ...picious_process_access_direct_syscall.toml | 2 +- ...suspicious_process_creation_calltrace.toml | 2 +- ...efense_evasion_suspicious_scrobj_load.toml | 2 +- ...evasion_suspicious_short_program_name.toml | 2 +- ...defense_evasion_suspicious_wmi_script.toml | 2 +- ...evasion_suspicious_zoom_child_process.toml | 2 +- ..._critical_proc_abnormal_file_activity.toml | 2 +- ...nse_evasion_unusual_ads_file_creation.toml | 2 +- .../defense_evasion_unusual_dir_ads.toml | 2 +- ...nusual_network_connection_via_dllhost.toml | 2 +- ...usual_network_connection_via_rundll32.toml | 2 +- ...on_unusual_process_network_connection.toml | 2 +- ...asion_unusual_system_vp_child_program.toml | 2 +- .../defense_evasion_via_filter_manager.toml | 2 +- ...evasion_workfolders_control_execution.toml | 2 +- .../discovery_adfind_command_activity.toml | 2 +- rules/windows/discovery_admin_recon.toml | 2 +- .../discovery_command_system_account.toml | 2 +- ..._enumerating_domain_trusts_via_nltest.toml | 2 +- rules/windows/discovery_net_view.toml | 2 +- .../windows/discovery_peripheral_device.toml | 2 +- ...scovery_posh_suspicious_api_functions.toml | 2 +- ..._post_exploitation_external_ip_lookup.toml | 2 +- ...very_privileged_localgroup_membership.toml | 2 +- ...ote_system_discovery_commands_windows.toml | 2 +- .../discovery_security_software_wmic.toml | 2 +- .../discovery_whoami_command_activity.toml | 2 +- ...arwinds_backdoor_child_cmd_powershell.toml | 2 +- ...inds_backdoor_unusual_child_processes.toml | 2 +- .../windows/execution_com_object_xwizard.toml | 2 +- ...and_prompt_connecting_to_the_internet.toml | 2 +- ...tion_command_shell_started_by_svchost.toml | 2 +- ...mand_shell_started_by_unusual_process.toml | 2 +- .../execution_command_shell_via_rundll32.toml | 2 +- .../execution_downloaded_shortcut_files.toml | 2 +- .../execution_downloaded_url_file.toml | 2 +- .../execution_enumeration_via_wmiprvse.toml | 2 +- .../execution_from_unusual_path_cmdline.toml | 2 +- ...le_program_connecting_to_the_internet.toml | 2 +- .../execution_ms_office_written_file.toml | 4 +-- rules/windows/execution_pdf_written_file.toml | 6 ++-- .../execution_posh_portable_executable.toml | 2 +- rules/windows/execution_posh_psreflect.toml | 2 +- ...ution_psexec_lateral_movement_command.toml | 2 +- ...er_program_connecting_to_the_internet.toml | 2 +- ...tion_scheduled_task_powershell_source.toml | 2 +- ...xecution_shared_modules_local_sxs_dll.toml | 2 +- .../windows/execution_suspicious_cmd_wmi.toml | 2 +- ...n_suspicious_image_load_wmi_ms_office.toml | 2 +- .../execution_suspicious_pdf_reader.toml | 2 +- ...ecution_suspicious_powershell_imgload.toml | 2 +- .../execution_suspicious_psexesvc.toml | 2 +- .../execution_via_compiled_html_file.toml | 2 +- .../execution_via_hidden_shell_conhost.toml | 2 +- ...ia_xp_cmdshell_mssql_stored_procedure.toml | 2 +- .../windows/impact_backup_file_deletion.toml | 2 +- ...deleting_backup_catalogs_with_wbadmin.toml | 2 +- .../impact_modification_of_boot_config.toml | 2 +- ...impact_stop_process_service_threshold.toml | 2 +- ...copy_deletion_or_resized_via_vssadmin.toml | 2 +- ...e_shadow_copy_deletion_via_powershell.toml | 2 +- ..._volume_shadow_copy_deletion_via_wmic.toml | 2 +- ..._evasion_suspicious_htm_file_creation.toml | 2 +- ...al_access_script_executing_powershell.toml | 2 +- ...ccess_scripts_process_started_via_wmi.toml | 2 +- ...l_access_suspicious_ms_exchange_files.toml | 2 +- ...access_suspicious_ms_exchange_process.toml | 2 +- ...ious_ms_exchange_worker_child_process.toml | 2 +- ...ss_suspicious_ms_office_child_process.toml | 4 +-- ...s_suspicious_ms_outlook_child_process.toml | 4 +-- ...l_access_unusual_dns_service_children.toml | 4 +-- ...ccess_unusual_dns_service_file_writes.toml | 2 +- ...explorer_suspicious_child_parent_args.toml | 2 +- .../windows/lateral_movement_cmd_service.toml | 2 +- rules/windows/lateral_movement_dcom_hta.toml | 2 +- .../windows/lateral_movement_dcom_mmc20.toml | 2 +- ...t_dcom_shellwindow_shellbrowserwindow.toml | 2 +- ...n_lanman_nullsessionpipe_modification.toml | 2 +- ...vement_direct_outbound_smb_connection.toml | 2 +- .../lateral_movement_dns_server_overflow.toml | 6 ++-- ...ateral_movement_evasion_rdp_shadowing.toml | 2 +- ...movement_executable_tool_transfer_smb.toml | 2 +- ..._movement_execution_from_tsclient_mup.toml | 2 +- ...nt_execution_via_file_shares_sequence.toml | 2 +- ...vement_incoming_winrm_shell_execution.toml | 2 +- .../lateral_movement_incoming_wmi.toml | 10 +++--- ...ment_mount_hidden_or_webdav_share_net.toml | 2 +- ...l_movement_powershell_remoting_target.toml | 2 +- ...lateral_movement_rdp_enabled_registry.toml | 2 +- .../lateral_movement_rdp_sharprdp_target.toml | 10 +++--- ...ovement_remote_file_copy_hidden_share.toml | 2 +- .../lateral_movement_remote_services.toml | 8 ++--- ...ateral_movement_scheduled_task_target.toml | 4 +-- ...nt_service_control_spawned_script_int.toml | 2 +- ...ement_suspicious_rdp_client_imageload.toml | 2 +- ...l_movement_via_startup_folder_rdp_smb.toml | 2 +- .../windows/persistence_ad_adminsdholder.toml | 2 +- .../persistence_adobe_hijack_persistence.toml | 2 +- .../windows/persistence_app_compat_shim.toml | 2 +- .../persistence_appcertdlls_registry.toml | 2 +- .../persistence_appinitdlls_registry.toml | 2 +- .../persistence_dontexpirepasswd_account.toml | 2 +- ...evasion_hidden_local_account_creation.toml | 2 +- ...tence_evasion_registry_ifeo_injection.toml | 8 ++--- ...egistry_startup_shell_folder_modified.toml | 2 +- ...sistence_gpo_schtask_service_creation.toml | 2 +- ...sistence_local_scheduled_job_creation.toml | 2 +- ...istence_local_scheduled_task_creation.toml | 2 +- ...stence_local_scheduled_task_scripting.toml | 2 +- .../persistence_ms_office_addins_file.toml | 2 +- .../persistence_ms_outlook_vba_template.toml | 2 +- ...istence_msds_alloweddelegateto_krbtgt.toml | 2 +- ...ll_exch_mailbox_activesync_add_device.toml | 2 +- ...escalation_via_accessibility_features.toml | 2 +- .../persistence_registry_uncommon.toml | 4 +-- .../persistence_remote_password_reset.toml | 2 +- ...persistence_run_key_and_startup_broad.toml | 16 ++++----- ...ce_runtime_run_key_startup_susp_procs.toml | 2 +- ...istence_sdprop_exclusion_dsheuristics.toml | 2 +- .../persistence_services_registry.toml | 2 +- ...er_file_written_by_suspicious_process.toml | 2 +- ...lder_file_written_by_unsigned_process.toml | 16 ++++----- .../persistence_startup_folder_scripts.toml | 2 +- ...stence_suspicious_com_hijack_registry.toml | 2 +- ...s_image_load_scheduled_task_ms_office.toml | 2 +- ...nce_suspicious_scheduled_task_runtime.toml | 2 +- ...e_suspicious_service_created_registry.toml | 2 +- ...ersistence_system_shells_via_services.toml | 2 +- .../persistence_time_provider_mod.toml | 2 +- ..._account_added_to_privileged_group_ad.toml | 2 +- .../persistence_user_account_creation.toml | 2 +- ...ence_user_account_creation_event_logs.toml | 2 +- .../persistence_via_application_shimming.toml | 2 +- ...rsistence_via_bits_job_notify_command.toml | 2 +- ...sistence_via_hidden_run_key_valuename.toml | 2 +- ...sa_security_support_provider_registry.toml | 2 +- ...emetrycontroller_scheduledtask_hijack.toml | 2 +- ...ia_update_orchestrator_service_hijack.toml | 2 +- ...nt_instrumentation_event_subscription.toml | 2 +- ...tence_via_wmi_stdregprov_run_services.toml | 28 +++++++-------- .../persistence_webshell_detection.toml | 2 +- ...ilege_escalation_disable_uac_registry.toml | 2 +- ...ege_escalation_group_policy_iniscript.toml | 2 +- ...lation_group_policy_privileged_groups.toml | 2 +- ...scalation_group_policy_scheduled_task.toml | 2 +- ...rivilege_escalation_installertakeover.toml | 2 +- ...scalation_krbrelayup_service_creation.toml | 2 +- ...privilege_escalation_lsa_auth_package.toml | 2 +- ...e_escalation_named_pipe_impersonation.toml | 2 +- ...ge_escalation_persistence_phantom_dll.toml | 2 +- ...ion_port_monitor_print_pocessor_abuse.toml | 2 +- ...ation_printspooler_registry_copyfiles.toml | 2 +- ..._printspooler_service_suspicious_file.toml | 2 +- ...printspooler_suspicious_file_deletion.toml | 2 +- ...tion_printspooler_suspicious_spl_file.toml | 2 +- ...calation_rogue_windir_environment_var.toml | 4 +-- ...lation_samaccountname_spoofing_attack.toml | 2 +- ...alation_suspicious_dnshostname_update.toml | 2 +- ...lege_escalation_uac_bypass_com_clipup.toml | 2 +- ...ge_escalation_uac_bypass_com_ieinstal.toml | 2 +- ...n_uac_bypass_com_interface_icmluautil.toml | 2 +- ...alation_uac_bypass_diskcleanup_hijack.toml | 2 +- ...escalation_uac_bypass_dll_sideloading.toml | 2 +- ...ge_escalation_uac_bypass_event_viewer.toml | 6 ++-- ...ege_escalation_uac_bypass_mock_windir.toml | 6 ++-- ...scalation_uac_bypass_winfw_mmc_hijack.toml | 6 ++-- .../privilege_escalation_uac_sdclt.toml | 2 +- ...tion_unusual_parentchild_relationship.toml | 2 +- ...ion_unusual_printspooler_childprocess.toml | 2 +- ...n_unusual_svchost_childproc_childless.toml | 2 +- ...ilege_escalation_via_rogue_named_pipe.toml | 2 +- ...on_windows_service_via_unusual_client.toml | 2 +- ...rivilege_escalation_wpad_exploitation.toml | 2 +- 689 files changed, 864 insertions(+), 864 deletions(-) diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index eb9339e3d9c..4cb1d40419a 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index e601bd88d9d..1af9fe46801 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_null_user_agent.toml b/rules/apm/apm_null_user_agent.toml index 15b880d1d8b..820e21e29b9 100644 --- a/rules/apm/apm_null_user_agent.toml +++ b/rules/apm/apm_null_user_agent.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index 11d6fb63958..b580bdcfc81 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index c521ab86983..424246a78e2 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index 1944a26182e..0b50b84fd3a 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2022/02/28" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 2282deb2274..f3b5ba6f7f4 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 289475cb3bf..9f049370ed8 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index a32174bee05..0bb02a8a544 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/16" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 94d5c2b722e..d53dbd7d3b0 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -39,10 +39,10 @@ process where or /* service or systemctl used to stop Elastic Agent on Linux */ (event.type == "end" and - (process.name : ("systemctl", "service") and + (process.name : ("systemctl", "service") and process.args : "elastic-agent" and - process.args : "stop") - or + process.args : "stop") + or /* Unload Elastic Agent extension on MacOS */ (process.name : "kextunload" and process.args : "com.apple.iokit.EndpointSecurity" and diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index e893d4b0b22..1922928eacf 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 0a296f2eabc..36f70ceb90b 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index ff4a908c25c..b2d70bc98f4 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -3,7 +3,7 @@ creation_date = "2021/09/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index dbaee714710..efb705d1785 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index 525da55ceb0..153f7aebddc 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "development" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index fdc2ec64b57..fc60a1e278f 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/06" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index dc63531b97e..11963546d99 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index 4e91b6edb8f..3db4bdf1cbe 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -3,7 +3,7 @@ creation_date = "2021/12/10" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 0911b7a61bf..b75979ae5b4 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/07" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index d8b81000882..70ea4c37330 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/10" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index b87e5a7dd4f..7f6fd6d01ce 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -33,19 +33,19 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and event.type:change and - (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and +event.category:file and event.type:change and + (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and process.executable: - (* and - not + (* and + not ( - /bin/yum or - "/usr/sbin/pam-auth-update" or - /usr/libexec/packagekitd or - /usr/bin/dpkg or - /usr/bin/vim or - /usr/libexec/xpcproxy or - /usr/bin/bsdtar or + /bin/yum or + "/usr/sbin/pam-auth-update" or + /usr/libexec/packagekitd or + /usr/bin/dpkg or + /usr/bin/vim or + /usr/libexec/xpcproxy or + /usr/bin/bsdtar or /usr/local/bin/brew or /usr/bin/rsync or /usr/bin/yum or diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index c2fdfd8697e..400716f83ae 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index b7c071bcc6d..234ed6bc6f8 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/04" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -24,18 +24,18 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and event.type:(change or creation) and - file.name:("authorized_keys" or "authorized_keys2") and +event.category:file and event.type:(change or creation) and + file.name:("authorized_keys" or "authorized_keys2") and not process.executable: - (/Library/Developer/CommandLineTools/usr/bin/git or - /usr/local/Cellar/maven/*/libexec/bin/mvn or - /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or - /usr/bin/vim or - /usr/local/Cellar/coreutils/*/bin/gcat or + (/Library/Developer/CommandLineTools/usr/bin/git or + /usr/local/Cellar/maven/*/libexec/bin/mvn or + /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or + /usr/bin/vim or + /usr/local/Cellar/coreutils/*/bin/gcat or /usr/bin/bsdtar or - /usr/bin/nautilus or + /usr/bin/nautilus or /usr/bin/scp or - /usr/bin/touch or + /usr/bin/touch or /var/lib/docker/* or /usr/bin/google_guest_agent) ''' diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 53c5b593635..5e4bc234455 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/26" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 432896bc68d..a0d341570a8 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/10" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 01e8e6134cd..cdc05735497 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -3,7 +3,7 @@ creation_date = "2021/02/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 2e738e5cfa8..492f3bf90d2 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/threat_intel_filebeat8x.toml b/rules/cross-platform/threat_intel_filebeat8x.toml index 000326e34ac..bdb9f68adc0 100644 --- a/rules/cross-platform/threat_intel_filebeat8x.toml +++ b/rules/cross-platform/threat_intel_filebeat8x.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/24" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/cross-platform/threat_intel_fleet_integrations.toml b/rules/cross-platform/threat_intel_fleet_integrations.toml index 1e8d6293cd1..62a454fd2f1 100644 --- a/rules/cross-platform/threat_intel_fleet_integrations.toml +++ b/rules/cross-platform/threat_intel_fleet_integrations.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/04/21" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index aa65940b566..9d44f4936ce 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/10" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index 43a3a5e79b8..ab371f7469e 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/19" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index dfd3d1e73a7..e21b5aa392c 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/19" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 7040c497487..7a124243277 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml index 9c6ad26cebd..0909584ac3c 100644 --- a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/14" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index e5924d6a998..6c46192a53a 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/26" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 88910187cb6..d5c661d4355 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/10" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 051997771d4..bca7a1f2397 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 09a5646eef3..54ca2642e20 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/26" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/14" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 610cc501bef..06c0bdecf11 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 97d57b798f6..ebec002e412 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index 0fd6227535d..8c248169a77 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/26" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index 7182c88276e..aeb3c3cbf7c 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/10/01" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index 00375e5837c..4feea28b901 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/10/01" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index cbc3b312b29..0fb8a88fea0 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/28" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 25d808c316d..c2560f91450 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 3bf140a3432..4021725f111 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index f5b4eb4994f..65a937528b7 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/09" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/11" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index 75c45b41e59..343d36d629c 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index 37388a7b146..160a28de560 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/14" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index ac14e92be76..eb78385c1ad 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -3,7 +3,7 @@ creation_date = "2021/04/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index 2f9cd8841d3..03d2a63a988 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index d0762e7c75c..a6d2c03a796 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 684bb0ff38c..896202291a5 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index 0dcc1e5c48a..a3c0fbab62b 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/10" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 73a57efb10f..022869765db 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index e31fe14d7e2..db266753b23 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/14" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 418f35f2f87..22fbf2e80b1 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 7b6133235eb..b514727fbf9 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2021/08/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/28" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index fb961fe3577..16bdb004cfa 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/26" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/19" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index 45050f05fc0..3d48563df39 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index 48e88f991a3..9cd43474362 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index 8a7d48c2b9b..ce6ad602da8 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/07" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index cfddf5555d4..acc28ba1ec5 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index 75391e2ba1f..5e6b34c58c2 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index a8baa066ae9..b6971a8efad 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index ecad0e621b9..c6b55a7b57b 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/14" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 79ceff3612f..843f56f3aed 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/14" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 2fe035b0e23..edae35ac634 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/14" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 5d55f25f962..b14a6c9b887 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/14" +updated_date = "2022/08/24" integration = "aws" [rule] @@ -44,7 +44,7 @@ of the source IP address. #### Possible investigation steps - Identify the user account involved and the action performed. Verify whether it should perform this kind of action. - - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the + - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 67e8336227f..cd6f007feb2 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/14" +updated_date = "2022/08/24" integration = "aws" [rule] @@ -44,7 +44,7 @@ of the source IP address. #### Possible investigation steps - Identify the user account involved and the action performed. Verify whether it should perform this kind of action. - - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the + - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index f05f4389f75..2b6e681abfd 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/14" +updated_date = "2022/08/24" integration = "aws" [rule] @@ -43,7 +43,7 @@ user. #### Possible investigation steps - Identify the user account involved and the action performed. Verify whether it should perform this kind of action. - - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the + - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 3f7dc86f84a..51ed2a7bf30 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 98f1c75f3d4..5182aae267b 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/07" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index 11303f82885..98658f842d4 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/06/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index c6b88c2520a..3c8dde9c5f0 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index c46ff2ff584..8000c16a764 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index c207a60612b..dcc819da68f 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index 59c44651f6a..817550e621f 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -3,7 +3,7 @@ creation_date = "2022/04/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 4980bf20f28..072f305a811 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/10" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index d31e814e4cd..d0a6ae23640 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/10" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index b0cc15029df..7ef1506a3d5 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/19" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index f11500dac88..d175dac1f5d 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index e46e759b069..41128fdc63a 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/20" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml index bf186aaf954..78416677b0c 100644 --- a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml @@ -3,7 +3,7 @@ creation_date = "2021/09/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/09/22" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 8a3b7a39c7d..d5a63bc0e35 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" integration = "aws" [rule] @@ -42,7 +42,7 @@ your first IAM user. Then securely lock away the root user credentials and use t service management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root). This rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning -the account is not secured properly. +the account is not secured properly. #### Possible investigation steps diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index 1ae0785d8ff..f1a82be81c5 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/10/05" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index 3a85a877bf1..991f7e7f9b5 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/10/11" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index 388acde51a7..5af2f69635b 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/19" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml index 3a30f7d4721..0af85cdf472 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml index 1dc939f216d..fb721a6aeb6 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -3,7 +3,7 @@ creation_date = "2021/08/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/10/15" +updated_date = "2022/08/24" integration = "azure" diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml index b14a3470717..1c96a5a39c0 100644 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index eff6841a142..3cc97f76eb0 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml index 43b61bab39c..03225e9d265 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml index 3c1d3730f2f..450ac76dbd0 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -35,7 +35,7 @@ type = "query" query = ''' event.dataset:azure.activitylogs and - azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and + azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index c69dbb846d5..35aa843c513 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -3,7 +3,7 @@ creation_date = "2021/09/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/09/22" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index fe9671951e8..ec9f32538cd 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index 660364efee3..dc8f526a509 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/19" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 550273b1bf5..e77f6f12fb9 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index d40011b5dc9..fdac3a5ed4c 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index e08c7be63a5..697745bbc8b 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2021/08/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/08/01" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index a85917ee118..cfb6b36fb22 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/28" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 967dbc15746..722f5c4989f 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index 99007fdc48f..6155a4e66c2 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -3,7 +3,7 @@ creation_date = "2021/08/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/16" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index eefcf8cd3a3..0853719abe9 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index 6463bc9c6a8..bc66dce7956 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml index 0c5ef3766ed..62167341600 100644 --- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/28" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index da127e72c27..54c4bc1061e 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/06/24" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml index 9fb53190553..61c0ea0734c 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index 281b036430d..6aafda577ef 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index cbb8282ac2a..73b0337a5d1 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/19" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -30,7 +30,7 @@ This rule identifies events produced by Microsoft Identity Protection with high #### Possible investigation steps - Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection). -- Identify the user account involved and validate whether the suspicious activity is normal for that user. +- Identify the user account involved and validate whether the suspicious activity is normal for that user. - Consider the source IP address and geolocation for the involved user account. Do they look normal? - Consider the device used to sign in. Is it registered and compliant? - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 2284a4b5737..b0c857da23e 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/19" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -29,7 +29,7 @@ or `atRisk`. #### Possible investigation steps - Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection). -- Identify the user account involved and validate whether the suspicious activity is normal for that user. +- Identify the user account involved and validate whether the suspicious activity is normal for that user. - Consider the source IP address and geolocation for the involved user account. Do they look normal? - Consider the device used to sign in. Is it registered and compliant? - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index 25576bb6b42..45570d54598 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/19" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index b96ddb5b033..1dba35f8c6f 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/19" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -72,7 +72,7 @@ your IT teams to minimize the impact on business operations during these actions - Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook. - Disable the permission for a user to set consent permission on their behalf. - - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature. + - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml index 96704a44ff4..ccb6f215cb3 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml index a38f4b0bbf7..6d5432f8bc5 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml index f70887a5c15..ab1b462eceb 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index 4abb4a257f1..d73b74ca7a6 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml index 19f172a65a7..44e1b37df6f 100644 --- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index e64e9991da0..765d376c071 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -4,7 +4,7 @@ integration = "azure" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index dd459283c21..a8cde43861b 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index 8f4f207f634..26a55088087 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/19" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -25,10 +25,10 @@ note = """## Triage and analysis Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles -such as Global Administrator and Application Administrator. +such as Global Administrator and Application Administrator. This rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough -access to modify role assignment settings. +access to modify role assignment settings. #### Possible investigation steps diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index e3c9a601e97..2215b7dc015 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index 652ad32cff3..1bc83ba44d1 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 9c27ff59322..a5e48746400 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index 6d72bb37216..84ad211f3c6 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/11/22" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 19a2f43672d..d23b692c39a 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/23" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "cyberarkpas" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index 2bae0cdf939..d3a0c3c72b6 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/23" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "cyberarkpas" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index a55e1f18dab..571cd3b064a 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/10/11" +updated_date = "2022/08/24" integration = "endpoint" [rule] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 6e78a214b80..32844d95e07 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 7cfe71fb3b6..b12ea3ed0ae 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 79b6c5687d3..0371330efd5 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -4,7 +4,7 @@ integration = "gcp" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 79fe0bb3fa6..2158316621d 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -4,7 +4,7 @@ integration = "gcp" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index fb512af7648..01ae45b1e51 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -4,7 +4,7 @@ integration = "gcp" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 0786f60112f..f5bbbc9668e 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index c1e209182f9..fe47c683768 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index 872f3132e7f..dc967d1fb0b 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 268b784e698..a894b06a9bb 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index c06f1cc57bf..ef549345635 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index e1eaed63324..a5596d1921d 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 7889bd0c7fb..bad67cccc11 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 88b23ab6107..111707924b9 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index efa40739cea..49dbccff35f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -4,7 +4,7 @@ integration = "gcp" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index d40f6db6500..0c170a6f6ff 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index 24c78051f13..ba5c68510bb 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index 75d2c2d9591..b921cf62d32 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index 1a62938842e..e1e8303c204 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index d9dac715813..99a854e2726 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index cd8c1f8d8eb..9a85cfc2e44 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 357fdaae468..6f14289612c 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 392ecdd7cf4..fb9f0292f74 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 7ceb00f471a..1f97926ba33 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml index 2b6b6d3f182..60a5320b625 100644 --- a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml +++ b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index 0705e17859b..412c1d6e774 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index d18f044cd04..debea77a2fc 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index fe8d868ef80..229c3776cc9 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/22" +updated_date = "2022/08/24" integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index 4e6bb6a8e92..8810645085a 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index dc0f2b4a372..03e1c2ee005 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index 950c5b8e673..56e081b89e7 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index b3bbee6ae48..588ba08abc5 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml index bda62e69773..d4117a6faf4 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index 53025281971..68c591d02a5 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 157072ef708..45655935a2d 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 0b0f7f9b2b6..092ef1d83af 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -4,7 +4,7 @@ integration = "kubernetes" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/06/30" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -41,8 +41,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.verb:"create" -and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") +kubernetes.audit.verb:"create" +and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") and kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*) ''' diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 68797f0d066..31e8714df06 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -4,7 +4,7 @@ integration = "kubernetes" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/11" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -43,7 +43,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:"pods" +kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.objectRef.subresource:"exec" ''' diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 6d6f5f5ce30..e6d6ce886ab 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -4,7 +4,7 @@ integration = "kubernetes" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index e08a2889d82..48645274393 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -4,7 +4,7 @@ integration = "kubernetes" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 9748d7ff69a..3b4443f5271 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -4,7 +4,7 @@ integration = "kubernetes" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index 7ed9811f854..70455db958b 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -4,7 +4,7 @@ integration = "kubernetes" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml index 453f78f5640..33fc1c82272 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml @@ -4,7 +4,7 @@ integration = "kubernetes" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/11" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -42,8 +42,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:"pods" - and kubernetes.audit.verb:("create" or "update" or "patch") +kubernetes.audit.objectRef.resource:"pods" + and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.volumes.hostPath.path:("/" or "/proc" or "/root" or "/var" or "/var/run/docker.sock" or "/var/run/crio/crio.sock" or "/var/run/cri-dockerd.sock" or "/var/lib/kubelet" or "/var/lib/kubelet/pki" or "/var/lib/docker/overlay2" or "/etc" or "/etc/kubernetes" or "/etc/kubernetes/manifests" or "/home/admin") ''' diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index 345aae28b53..8451dd09bdb 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -4,7 +4,7 @@ integration = "kubernetes" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index f30a9e84697..647d910275d 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -3,7 +3,7 @@ creation_date = "2021/03/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/16" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index eea33534eb6..8af7f094a22 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/30" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index 5527f4c0401..fd6fd1742a2 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/30" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index 67627fe0ecb..0fb774db5b7 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/12/30" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index 2c51df7a029..13a91907420 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index 2ca11a3f763..45654f7fa43 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index 3b4af3b6deb..18b0a97dd31 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index d4399095be6..075c900036a 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index da1f64e1b2d..adafec01707 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -4,7 +4,7 @@ integration = "o365" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/16" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 4ed7923d889..97d63de0b2e 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/28" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index 412e03e1d39..a15a7b4e76e 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml index c3e5d09d659..4e4ca912fff 100644 --- a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/15" maturity = "development" -updated_date = "2021/10/13" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index 11efcc42964..7daae51559d 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/10/05" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 659190ddb8c..0e9588b011f 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/15" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index bca029fe52d..6dc020aac1e 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index f8e1c32fd7d..47dc36c97d2 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index 9101fb1c2f3..803497dc7a0 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml index 7a1d2a093e7..8c65fa57197 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/15" maturity = "development" -updated_date = "2021/10/05" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 6a9c7d9b5a1..7fa3cce75b6 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/10/05" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index 9d94abb5353..461c24dbd53 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -4,7 +4,7 @@ integration = "o365" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/01/12" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index 420503dd5f1..ed795805e00 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -4,7 +4,7 @@ integration = "o365" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/01/10" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index e7f7c9049d3..3fe750c4d0a 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -4,7 +4,7 @@ integration = "o365" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/28" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index b65b13d2adb..edd8dada342 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml index b03bc158fc4..cf56129ab23 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index 0f3e58da896..6b757201872 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index d0c7a7c7300..acc9716ae15 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -4,7 +4,7 @@ integration = "o365" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/28" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml index 4531f8d5a68..836040712fc 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index 03cd008ee07..bba76cffcc6 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index 059cc00b492..954b92e4f71 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index 7e85690104e..884723ebcc0 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/10/11" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index a366840ac90..db75e5ba65a 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 6186aeae996..90aa3dc1940 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index 12bf9f23ace..2c8321700d0 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index 706db13a843..a07fcb683bc 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index aebc75dbb7d..de88ffbe205 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -3,7 +3,7 @@ creation_date = "2022/03/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/22" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index cb5980a0441..ddab4460c17 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 70c61ce3453..4df86f5402d 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index e2a8dece0c4..171bf646b16 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index e264eb35582..d2f8fae7f19 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index 05218943f78..bc6f8ab4d11 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/28" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 2df31c868d0..8cb518195d8 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index f5d4e03400b..4553719ba76 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 668aa228f05..3fba102b2d4 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index e63c19a2875..37e6f828389 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 40d2226bb28..6156e8d087b 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index 3fc4943206e..444e8e42ec5 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 0ffd7aaf4bf..35d8d8d823d 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index 15514516681..2c316553c84 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index d98d3054874..e9ffbb65d1a 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 0ec7e5dfbb2..950fc727c53 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 2ca17e6a8ce..03103d0b217 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/10/11" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 90deabefe0f..0ba6ac9956f 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml index 8e6a7a3fde5..d941e1b94e2 100644 --- a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index be562390c9e..1c259181dd4 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 8c291e50694..1109d239523 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index ec40c5d0936..88040f1818e 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 51ea014378c..b6f58c79486 100644 --- a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 145b21a92ef..c908c955a36 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index 58796e3e070..e0db1ed9cb4 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml index 71e983ad4d8..c5cba244647 100644 --- a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml +++ b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -44,7 +44,7 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=1m -[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and +[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] [process where event.action == "session_id_change" and user.id == "0" and not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] diff --git a/rules/linux/command_and_control_linux_iodine_activity.toml b/rules/linux/command_and_control_linux_iodine_activity.toml index 73098bf79ed..41db3e9ffa9 100644 --- a/rules/linux/command_and_control_linux_iodine_activity.toml +++ b/rules/linux/command_and_control_linux_iodine_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index 68e4f76526c..fc157d19cb9 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -3,7 +3,7 @@ creation_date = "2021/04/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 17b18199a75..87f8ddc933d 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 2ceb25ddcd5..0a216aca171 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/28" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index e11ac67a264..2aeed57afdb 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 18ac4b63bd5..25ab699b9a4 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index fdb553a4937..ccfd5d84a8d 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index e18b80e24b4..e6a718fb247 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 4d85089fd81..c8e00083e0f 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 2798c8eb797..2f48d1792d0 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 1e1e9772375..5dee1682f49 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 4d57af0378a..3598708e4f1 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.action : "creation" and file.extension == "so" and file.name : ".*.so" +file where event.action : "creation" and file.extension == "so" and file.name : ".*.so" ''' diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 2941e2ac095..05d864296a4 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index aef7e2aafbb..0599cdb0be3 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index de6a1c36ea8..8aa75879f15 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index e2d15823b6d..747da06d214 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/06/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 29a0f79ab04..e125a0a56b9 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 1fd92ad808a..f5cc6c5e0b5 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 7b5eca315dc..39380dca173 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_linux_netcat_network_connection.toml b/rules/linux/execution_linux_netcat_network_connection.toml index 1df3c20c4ea..b382175087d 100644 --- a/rules/linux/execution_linux_netcat_network_connection.toml +++ b/rules/linux/execution_linux_netcat_network_connection.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 467a6f7b999..0206e728f00 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index abdcfaa8abf..8a11f126d5b 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/12" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 54228076421..916fea94f24 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/10" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -36,8 +36,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and - event.action == "exec" and user.name == "root" and +process where event.type == "start" and + event.action == "exec" and user.name == "root" and process.executable : ( "/dev/shm/*", "/run/shm/*", diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 1eb21225154..3ea9831b247 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/15" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and event.type:(start or process_started) and process.name:python* and process.args:("import pty; pty.spawn(\"/bin/sh\")" or "import pty; pty.spawn(\"/bin/dash\")" or diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index b2453401ab0..d3e3c678891 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/01" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index af2ea9e13a9..0feaaf4ea53 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/11" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index dfcb78e38c4..68e0e40ed46 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/27" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index f3802896c4c..6f07b0de72a 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 22a7bcd2551..cb493e9f0be 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 9340184af75..09aa6fe7351 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -26,8 +26,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and - (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or +process where event.type == "start" and + (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or (process.args : "*chkconfig" and process.args : "--add") ''' diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 0c68802970a..02810717410 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 0c1f250c60d..da5c28b53e4 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 1759a57b4c6..230705365af 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -56,7 +56,7 @@ reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" +reference = "https://attack.mitre.org/techniques/T1574/006/" [[rule.threat.technique]] id = "T1543" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index f30839ab162..149b2ab2c11 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -3,12 +3,12 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] description = """ -Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. +Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. """ from = "now-9m" index = ["logs-*"] diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index a400839e955..4dcabef117b 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index be8fb2fba60..fce7628124f 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index fedc878fee7..bc2877b9b4a 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index cb2ce49376c..5de7817defc 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/26" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/28" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index a8d4aad1e09..66d17e006fe 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index b27eb836015..bab45c5cb5d 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 31e20e5f7f4..92c407862f9 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index e700cf7a2f3..e7ecc76a4ce 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index ef1b8f20b3b..3b8cb920f7c 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 3cb1b4cba46..d43dbdd2b5a 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index b8f1128143a..8460830c2ad 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_potential_ssh_bruteforce.toml b/rules/macos/credential_access_potential_ssh_bruteforce.toml index bd546c59c70..9878444781c 100644 --- a/rules/macos/credential_access_potential_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_ssh_bruteforce.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index aa91d319461..fa6adab100b 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 7e934570f7f..5c88932e63f 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/27" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 49a6f5f7cbc..ac74b9f849a 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - process.name:defaults and + process.name:defaults and process.args:(write and "-bool" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true)) ''' diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index c86dc874d1f..e3ae4dd6b02 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index ead6bad37ad..24fa9203815 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and event.type:(start or process_started) and process.args:(spctl and "--master-disable") ''' diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index da22b61ffd5..569e5615704 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/15" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index 17f1ee4f9e9..7934ef6c560 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 5c09c650006..1a283b58cc9 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 0970598145a..b745b7d49b4 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 69beae92dae..4d208175ca6 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 9c3428d2939..27bd40bb7aa 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index e4cec68650c..0617a53186d 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index 72ea179e8a0..64598d3578e 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/21/07" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 5a767f69312..fc629b1d0b2 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index c1c6e37880c..0ca015722bc 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index fb7d36c0ed3..f4ac8cd900f 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/12" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 58bdb64c95d..5fab7a995ea 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -3,13 +3,13 @@ creation_date = "2021/02/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] description = """ -Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). -Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. +Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). +Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. """ false_positives = [ @@ -36,8 +36,8 @@ type = "eql" query = ''' sequence by host.id, user.id with maxspan=30s -[process where event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] -[network where event.type == "start" and process.name : ("curl", "osascript", "wget", "python")] +[process where event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] +[network where event.type == "start" and process.name : ("curl", "osascript", "wget", "python")] ''' [[rule.threat]] diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index 26561639f80..8bed1e85a53 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 5f0e3e8d856..9d98ed40bff 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 9bcc790c72f..fcf05ceb13e 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/06/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index 7b7733ccf2a..6a624b12b94 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -30,24 +30,24 @@ process where event.type in ("start", "process_started") and process.parent.name:("Microsoft Word", "Microsoft PowerPoint", "Microsoft Excel") and process.name: ( - "bash", - "dash", - "sh", - "tcsh", - "csh", - "zsh", - "ksh", - "fish", - "python*", - "perl*", - "php*", + "bash", + "dash", + "sh", + "tcsh", + "csh", + "zsh", + "ksh", + "fish", + "python*", + "perl*", + "php*", "osascript", - "pwsh", - "curl", - "wget", - "cp", - "mv", - "base64", + "pwsh", + "curl", + "wget", + "cp", + "mv", + "base64", "launchctl" ) and /* noisy false positives related to product version discovery and office errors reporting */ diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 612fd6952f4..503439edcea 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:start and +event.category:process and event.type:start and process.args:("-action" and ("-kerberoast" or askhash or asktgs or asktgt or s4u or ("-ticket" and ptt) or (dump and (tickets or keytab)))) ''' diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 331708cb1bb..6c38458ae9d 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 65ed446c99c..ab28fd91f81 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 66f68d506a1..df6136f0fa9 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 5ab0e43fbc2..3a593cb808e 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index cf6f5c08d66..8134e47db57 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ type = "eql" query = ''' sequence by host.id with maxspan=1m - [file where event.type != "deletion" and + [file where event.type != "deletion" and file.path : ("/System/Library/LaunchAgents/*", "/Library/LaunchAgents/*", "/Users/*/Library/LaunchAgents/*") ] [process where event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"] diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index c985ad60da2..497a15c41ec 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 51d4ad97f9f..9438a63137c 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 8ce53fb3df7..dd18874a93f 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index 3152a78ca51..e9bbfc947f7 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -3,7 +3,7 @@ creation_date = "2022/04/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/25" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and process.name != null and +file where event.type != "deletion" and process.name != null and file.path : "/private/var/at/tabs/*" and not process.executable == "/usr/bin/crontab" ''' diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index dd98e88d0c4..f534a13971c 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index ab3b9bd0510..75832127aa0 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/25" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 51098f42a45..62a1136e60e 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/08/25" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -29,8 +29,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category : file and event.action : modification and - file.path : /Users/*/Library/Preferences/com.apple.dock.plist and +event.category : file and event.action : modification and + file.path : /Users/*/Library/Preferences/com.apple.dock.plist and not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService) ''' diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 20dd50e6e5d..65dc9008dcf 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/16" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 9c190e402cb..fde1d0b5a55 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/08" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index aa8590a9366..48fee93aa6f 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 7a1d07ad87e..9e731724fd4 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 438ad14a076..6e9215e789d 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/15" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 40b8116ef1d..3a6f8376082 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 8a553a1ddfa..791796d5605 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 3750c3f4264..ad3afc98310 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index 910f20b2843..4525ed5a680 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index 81902767ec0..5fbac202ad2 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index ae828854e7c..7941b93cd37 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/27" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 3a1fb4d88be..edcbaabc121 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index 8f43f48acce..64fe1a33c46 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/27" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index 0ecc6c13015..4a5f09ff16a 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index 8f3affcb6b4..8e2c38d1710 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index 64635125df4..042ba1e17b2 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/27" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index 977f232bd7e..d4013e65c0e 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/27" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 4c6c9a77c59..d4d570f6777 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index f679738e1e6..6e01d7d74b8 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 4b1df1d260e..0ed8ae13027 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index 76edefb46e3..9dc4d369e4a 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index db0dff04a98..1465e49749d 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 3c7ad0dc716..536118465b1 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index a5efd9d186d..49e4b61c2f9 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 155139ce591..2414cfe0729 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 14d6b45e115..8fb0d2ea796 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index e582efda9d0..9576661e24c 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index b4543d23f73..7f024209c91 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index ff05f46b3e1..d9e2c5d60ca 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index e043727f68a..2dc000a2b23 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 78d2db1e09e..9982d28527b 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index ecf2310b30e..dd92ad04606 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index 76292678f8b..21021f95fd6 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] anomaly_threshold = 25 diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index d2fb4830724..5d518840f84 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index 9ff7382b02f..31efb14ceb9 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index 86abc6daf3e..b6d8ac10b26 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index 7f89d01064e..589f986e4b4 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/20" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index cbc3722a413..d7d8cc71c66 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 36e3bed86c9..bdd5ae20680 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 0a09218fd19..102d6bdb5b5 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index 53a5a321e81..ccb7eb4490f 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index 7215e6d7809..1af67351a2d 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index b16c51eb6ff..5d1801beab9 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index 8233a85bedd..ec4f84ddbeb 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -3,18 +3,18 @@ creation_date = "2021/04/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/06/15" +updated_date = "2022/08/24" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic that was +A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by -either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. -Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), -or engage in data exfiltration, may produce a burst of failed connections. This could also -be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service +either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. +Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), +or engage in data exfiltration, may produce a burst of failed connections. This could also +be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic. """ false_positives = [ diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index dafc577a45d..39a4fc12e21 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -3,21 +3,21 @@ creation_date = "2021/04/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/08/14" +updated_date = "2022/08/24" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, -if not caused by a surge in business activity, can be due to suspicious or malicious activity. -Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually -large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may +A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, +if not caused by a surge in business activity, can be due to suspicious or malicious activity. +Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually +large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic, + Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert. """, diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 717533cb5eb..1740f13f7d4 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/05/12" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index 71060cb6c47..216d2f90c2c 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/05/12" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index f1ca5287a95..27e76f3cef9 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index e9b35c384ed..a6e07c81008 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -3,7 +3,7 @@ creation_date = "2021/04/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/06/15" +updated_date = "2022/08/24" [rule] anomaly_threshold = 75 @@ -11,20 +11,20 @@ author = ["Elastic"] description = """ A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. -For example, when a user clicks on a link in a phishing email or opens a malicious document, -a request may be sent to download and run a payload from a server in a country which does not -normally appear in network traffic or business work-flows. Malware instances and persistence -mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, -which may be an unusual destination country for the source network. +For example, when a user clicks on a link in a phishing email or opens a malicious document, +a request may be sent to download and run a payload from a server in a country which does not +normally appear in network traffic or business work-flows. Malware instances and persistence +mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, +which may be an unusual destination country for the source network. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve a business relationship with an + Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. - A new business workflow with an organization in a country with which no workflows previously - existed may trigger this alert - although the model will learn that the new destination country - is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many - countries for brief periods may trigger this alert. + A new business workflow with an organization in a country with which no workflows previously + existed may trigger this alert - although the model will learn that the new destination country + is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many + countries for brief periods may trigger this alert. """, ] from = "now-30m" diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 95f3641e56a..711353d5bed 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -3,25 +3,25 @@ creation_date = "2021/04/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/06/15" +updated_date = "2022/08/24" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network activity to one -destination country in the network logs. This could be due to unusually large amounts -of reconnaissance or enumeration traffic. Data exfiltration activity may also produce -such a surge in traffic to a destination country which does not normally appear in network -traffic or business work-flows. Malware instances and persistence mechanisms may communicate -with command-and-control (C2) infrastructure in their country of origin, which may be an +A machine learning job detected an unusually large spike in network activity to one +destination country in the network logs. This could be due to unusually large amounts +of reconnaissance or enumeration traffic. Data exfiltration activity may also produce +such a surge in traffic to a destination country which does not normally appear in network +traffic or business work-flows. Malware instances and persistence mechanisms may communicate +with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic - to one destination country, can trigger this alert. A new business workflow or a surge in business - activity in a particular country may trigger this alert. Business travelers who roam to many + Business workflows that occur very occasionally, and involve an unusual surge in network traffic + to one destination country, can trigger this alert. A new business workflow or a surge in business + activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity. """, ] diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 9fe95a2cfe8..430ebdb0911 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/05/12" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 219b56e9ac7..2063a8e5a81 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/20" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index 8dac682e0d4..292ac6cf278 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/20" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index ac5aca6182c..eb58bda47e2 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index 71f212b0dae..43a5dc8cf02 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index d27b2d3c090..386a6c5c462 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index 8da60a9ea8c..ecc75619b24 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index bab8ee22e19..fa5dbfd521d 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index 581e3e966cc..374ee419f79 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index ce135cafe43..a4a7c0f162d 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index c6a0799cdcd..e2344b5c913 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/18" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 5978b7a2ef9..64a54d7563b 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/10" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 7c2c311243c..d98a18edde9 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/10" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index 52ba7a84a01..416a4a71ecd 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/12/06" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 741cba4538e..1b31af2f29d 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/10" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 2f0b3e200ea..e46f22010c0 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/10" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 6c1b6666966..037247becaf 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 32e4431770e..984bc217138 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 25751bb40ac..e2efb9f8c27 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml index ed48d0bfa66..2e080d1e71c 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 7550a8fd625..a0a6679f43a 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index a96f20bc523..2e3e15c6b10 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 45945bbc190..9ae1e20edb2 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index c5051b78575..ceeb344961b 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index cfd100bea45..698c01a64f1 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 88e262e8277..3c28a5b881b 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/10" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index b4308997b75..747224dd4bf 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 6e937f85d45..61eee0e03ec 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index d3a1cab382e..e46a2cbed70 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/12/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index 6d9a06cc5e1..7c8cc341b31 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/12/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 789d291be71..04caa249471 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/12/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index c6859fdf0fb..bd31657ebf7 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/12/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 1b092cfb314..e5c66a406a1 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/12/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index 1d4dd7fa899..8162f2555c8 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index c97a53dfb5d..a40897845de 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index b301b08ba45..bcdf8db18b2 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index bf6a5a43d84..1173027151b 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 85c2e01304a..baeb525c230 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index b98b686a31b..d52db07d9da 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 27847dd0410..f9f7b9d5bbe 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 3461010672b..8714ffa7cad 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 5311276b344..d7fe5b42c54 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 338cb4158ed..a729bc577b8 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 2ed433782db..4d55390afe3 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 4ce41091e94..b19087a91d0 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index c0c67a9996e..48dcda0d4ba 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index c6f146dc17d..332442357bf 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 623ca121173..61cc02e66ad 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 8cdd9546567..2a839ec2ac9 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/16" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index bf2ab66e72b..369eed0c16a 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index df3eb3a4eda..92f0fdd4a7b 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index 903b2c5b4d4..1cf2dca8db5 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/28" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 5528b804653..5da8e1bbf2c 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index e7111698401..e591807e23d 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 84925775e85..8b16c283c1c 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 355469fba63..86189793890 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 2a6fd79383d..15ad517a7e3 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -77,9 +77,9 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=30s [network where process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and - not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and + not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and not user.domain : "NT AUTHORITY"] - [file where process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and + [file where process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and not file.name : "__PSScriptPolicy*.ps1"] ''' diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 0c35e622bfd..234ae3a6632 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 2db72e1357a..563ba79bdf8 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 867caf164e9..1d2b3461985 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index f2014122ade..3c06f200db9 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ Directory `Ntds.dit` file. - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. -- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. - Investigate other alerts associated with the user/host during the past 48 hours. - Examine the command line to identify what information was targeted. diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index a9a0bf1dadd..7001aa2c8ed 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 01bc3a5a98e..e2e39e1bec3 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ credential access activities. - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. -- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. - Investigate other alerts associated with the user/host during the past 48 hours. - Examine the command line to identify the `.csproj` file location. diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 8efde916d5f..160e380719b 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -3,7 +3,7 @@ creation_date = "2022/02/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 719e97d1119..ef2e662006a 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index fa1abb17af9..3f1e8cc76c8 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 953e182f63d..f9c480186e7 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 405b9865f47..a6cb9e46202 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 3ac32eeae0f..ef75e47a9f9 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index ee72ac24a2c..b5cebe2b673 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/29" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 3783dc9c334..78e3413dad9 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -3,7 +3,7 @@ creation_date = "2022/06/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/06/29" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 247a55d8cc7..9a393f8d02a 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2022/08/02" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index db1d70a345a..a18d56b33c2 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -3,7 +3,7 @@ creation_date = "2022/02/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index f2b21f3677c..d690d19c809 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 4eabaa4a0d3..c09be8af0e6 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/24" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 130ade1c815..ed0d60b371d 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/29" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index b6312fdbaa5..be0652459ba 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -3,7 +3,7 @@ creation_date = "2022/02/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 485466d718e..be6289fe78f 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -3,7 +3,7 @@ creation_date = "2021/03/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/28" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 75e16257931..57d4cabdeb4 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index b5058710933..ff6c3ce5f68 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index fb7dbb6fbcc..db728f7998d 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -3,7 +3,7 @@ creation_date = "2021/09/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 270380dd4ba..4c8c0e89d8e 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -3,7 +3,7 @@ creation_date = "2022/04/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/30" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -31,10 +31,10 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and process.name : "rundll32.exe" and - + /* Rundll32 WbeDav Client */ - process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and - + process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and + /* Access to named pipe via http */ process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc") ''' diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 5b25677cfc8..5c15e0e4e1c 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -3,7 +3,7 @@ creation_date = "2022/03/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/30" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 64aaa2f43d7..6a214a8484f 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index d5f2b5bc28d..927a52eb076 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index d6105256e5d..0910b1d49ef 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/26" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index fa1e1825c7a..12878bacd05 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -3,7 +3,7 @@ creation_date = "2022/02/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 56f6617110b..463542ea009 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2021/10/17" -updated_date = "2022/03/31" +updated_date = "2022/08/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 7becf6e4898..ebc49b167e9 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 216cb8f3ef9..50b5f1f2d84 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2021/10/14" -updated_date = "2022/02/28" +updated_date = "2022/08/24" maturity = "production" min_stack_version = "8.3.0" min_stack_comments = "New fields added: required_fields, related_integrations, setup" diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index ee724b4c7f9..5fbd1b85408 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -3,7 +3,7 @@ creation_date = "2022/02/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -43,7 +43,7 @@ modifications, and processes created. ### False positive analysis - If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions -if necessary. +if necessary. ### Response and remediation diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 62003fc1094..e972bee0a7f 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -3,7 +3,7 @@ creation_date = "2021/12/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index 5a1003e198f..5fc0013f1ea 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2021/11/27" -updated_date = "2022/03/31" +updated_date = "2022/08/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index b4a6e78efb7..53a70ea98c2 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index d58644f7fe8..465568984a1 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 14749596f3c..7176301608f 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -3,7 +3,7 @@ creation_date = "2021/11/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/23" +updated_date = "2022/08/24" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index d948c041072..dd40f7079f9 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/08" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 76e388c534d..6ac4976915e 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/23" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Anabella Cristaldi"] diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 3bc075ecbe4..e29aa582a3d 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -3,7 +3,7 @@ creation_date = "2021/02/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index f9522c0e3bc..4e02f3e13f6 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 915c47d63fb..f70bdb6623a 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index df81cf114ec..adac067f44b 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 54ae2c1ea3b..f30f1c8e354 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 90175ff7fa1..20a402446ed 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index aefba79dd0f..20bb4568fd9 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 2e023e9240b..051dae54b56 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 648f80c4cb1..9b16158eb0a 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/23" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 0dbdcc80b13..24a7c41736d 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 322764ca6ef..ba879e0357f 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index fb589dece09..d474f8116dd 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 89b7e53c62a..b2c7b958f9d 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/23" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 453087a8dee..01c9f1386a2 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -3,7 +3,7 @@ creation_date = "2021/09/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 2344169cea5..61535ca7363 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2022/07/20" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 8b68f6a0d33..531eb5b0b22 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ execution of malicious documents. - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. -- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. - Investigate other alerts associated with the user/host during the past 48 hours. - Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, @@ -77,7 +77,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 03ad0e828eb..0806d9a0c7d 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index c8fdeda0da5..f184d0ae9f2 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index dbfefee7465..9989869bf43 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index f1b6fa935eb..d5335215480 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 77bc8ce30d1..4a8300d01b3 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 7f7a0559f07..861f269e831 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Dennis Perto"] diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index b1dc6c353a3..61979ad96e0 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index bbf85472acf..e935731ae19 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 602e92feba7..329ccf66d75 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index a4b5335934e..71f1ad1811d 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 14707c9b224..190bd5a7466 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index b948f747522..f4dfd3c8ea6 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 815699bc39d..c9a234b7fbd 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 98e614a1ec7..834bc59218a 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 501e34903ff..c918c010e05 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 84909a4dcf2..04b181254cb 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index e7fd24d11f8..f068cd77626 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/10/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index bc3fadcd8ca..78b3a369691 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/21" +updated_date = "2022/08/24" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 81d40b451bc..9a6486dc1ae 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index ab2fec082cf..65d4dcbaa95 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index c10dcf45ad5..6359cd910cb 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 805420b5e6c..db78aef29ee 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/09/23" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 22dbe221e7b..56d1aaa2b46 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index f6109ebb426..26fa968a2fb 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index cefbacd9faa..a22b0b9d9db 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index c05d68e2d11..81212aff743 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 4714e2bb9f1..ffeacb3e92b 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/07/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -44,7 +44,7 @@ sequence by host.id, user.id with maxspan=5m ] by process.pid [process where event.type == "start" and process.parent.Ext.real.pid > 0 and /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */ - + not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") ] by process.parent.Ext.real.pid ''' diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 23cbe6acd53..13858de6941 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 74100d7398d..ffb36c8047d 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 7b3a1a5aeb6..0d51841416c 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/windows/defense_evasion_potential_processherpaderping.toml index d44bc3faccd..40e8e9e85d1 100644 --- a/rules/windows/defense_evasion_potential_processherpaderping.toml +++ b/rules/windows/defense_evasion_potential_processherpaderping.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index cc0c021d69c..e18dd020fb1 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/23" +updated_date = "2022/08/24" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 9a0698efc38..58f8fc80285 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/01" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ type = "eql" query = ''' sequence by host.id with maxspan=5s - [process where event.type == "end" and + [process where event.type == "end" and process.code_signature.trusted == false and not process.executable : ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe") ] by process.executable diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 741ee76e8c5..0e49f385f27 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 6bf40539a75..78fb8df7128 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 1d565cd573b..9410f017370 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index dd06a4afd03..f19450462cb 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index abe66200d51..d438ea117db 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 6737a36702c..5c264a22924 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index d09a6c4999b..c0ebb515d1b 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 0b96b4a73a3..5b5cddc7fd3 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/28" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 33f505b2553..fc277c2c976 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=5m - [process where event.type == "start" and + [process where event.type == "start" and process.name : ("wscript.exe", "cscript.exe", "mshta.exe", "wmic.exe", "regsvr32.exe", "svchost.exe", "dllhost.exe", "cmstp.exe")] [file where event.type != "deletion" and file.name : ("wscript.exe.log", diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index 9dc6e69d9fc..3ce9febd757 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/30" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index 8d5303f0907..d7f0ff9e335 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index e44c0311b5c..a9b022ce87e 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 6099477b1df..925f683e295 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/18" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index df2a462b1a2..fa88e3a5796 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 7410c30afd9..2e5e03b0bb5 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 77efaf02ac5..6c9ed67716e 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 4673cb81a27..004e22e6602 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 02ee6a70d17..1aadd0b3786 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 99b042d3098..c0e02b91e99 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/28" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 59284280762..9cbfa12f82f 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index a045195ed33..45d36bda30d 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 0d6dd9ff6b2..e8da6bc58a0 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 86015967896..1268e86f2da 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 54f6b18e09d..3e47ac99fe6 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -3,7 +3,7 @@ creation_date = "2022/03/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 8e8af282638..a9a040432c4 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index b497c9e609c..efbd0638ae5 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 49a9afadb82..c01dc0af7b3 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index b7d82df7458..74340e2bf94 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 63256b3e5d3..de79b18a151 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 02b23c4770b..aea0e9576b1 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 03ee77d28b1..bf84837c359 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index 41ca23dc570..dccba051886 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 330fa68d00f..d822c7b5dfb 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 8d37024d6be..df268f1263a 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/06/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index e176e5b0e21..2ddcef7e383 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index b09ad56af06..14b5eb74503 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index f21efc26e4f..73c4486b7ce 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 418761839f2..59fa893d921 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 7325ccdfa5d..f34b52b1d62 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index c54b386257c..e127caf03ba 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/05/26" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 477ff5087bc..8563addf90c 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/03" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 3172d0bffe1..59849446d3b 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 1b3457e25c7..a9db9e87d34 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 819406f15b3..7409b4e053a 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2021/09/23" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index ae04debda00..89ee324fcad 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 35a0ac77254..85d57219d53 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 6abab78a0e1..88fd4fa7ea1 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 0affd13f5cc..b4102eb2339 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 64a8f8f78d4..cdea617dac5 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index a9c40c766a6..75e4a0377dc 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/23" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ note = """## Triage and analysis ### Investigating Execution of File Written or Modified by PDF Reader -PDF is a common file type used in corporate environments and most machines have software to +PDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation. @@ -66,7 +66,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 87720459d6b..0106950c77f 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index 3a27b6e8606..5ce13c0f8ff 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 41bfbab79e3..d697c16895a 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 3629bdb1345..47e7f9988f7 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index a34fa00e03d..5adbd0ecdea 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 349f0f9801c..eb0103d8aac 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/28" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 3c13dd8d3a5..b884ac56217 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 592e8baa606..8f6e3d5c11d 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 0238b3d0cfa..6e844710964 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/21" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index f80512f9c86..2b0da73e860 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 20c5c9cb80f..a5b85e49db8 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 55d46f89cff..e03e57ce4cb 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 77366c22c95..aaff7b9e9af 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index 7a996ba242c..edfb9805121 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 75a2f7cd31c..cc68269a126 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 4a8ab2c851a..bc4f2dbaedb 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index f4deebdf24a..d5ec9209458 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/29" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 6fb85a1e73d..f4354064921 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 8c93113a406..bb92b2428a1 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index a1bbe907135..7c676d94e22 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index c04148ca91d..88ac96c3cd5 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 80d1df89269..34fa1477cb1 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 968c4e26ace..ffa8551cc96 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index a83f1fb782e..6c5c5f28156 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 570fd67094a..c100567b4d3 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -3,7 +3,7 @@ creation_date = "2021/03/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 1b3761ebe00..6068ea9c0b0 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -3,7 +3,7 @@ creation_date = "2021/03/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 2fc04cd2067..dc6994c27ac 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2021/03/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index e25588d0561..917415c9589 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 79132146e87..b5a2b80bafe 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index ac9bb03a73b..0568e141684 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ versions 2003 to 2019 and can be triggered by a malicious DNS response. Because privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure. -This rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a +This rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server. #### Possible investigation steps diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index a14bf62b55a..02884a3ac61 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 30a04aefc61..f315225dba3 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 67342bd3aa2..3b3e05b4a59 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 2c3f863df8d..d8488e1d839 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index b6e0ee6314b..2a3e1cd8fcd 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/01/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 8165a1b99cb..214a92111e0 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/01/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index d91a90cb8ea..986d05289fd 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -3,7 +3,7 @@ creation_date = "2021/03/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index ed401ceda8d..dae96e8015a 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index a1bec149a7d..162b8f4b1f8 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/06" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vu the source of the incoming traffic and determine if this activity has been observed previously within an environment. - Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts. - Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as -Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data. +Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data. - Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning. - Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment. @@ -59,7 +59,7 @@ determine the source of the activity and potentially allowlist the source host. - Initiate the incident response process based on the outcome of the triage. - Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) -a registry-based workaround that doesn’t require a restart. This can be used as a temporary solution before the patch is applied. +a registry-based workaround that doesn’t require a restart. This can be used as a temporary solution before the patch is applied. - Maintain backups of your critical systems to aid in quick recovery. - Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities. - If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior. diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index b82d50e9dc1..e8f51e328cf 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -3,7 +3,7 @@ creation_date = "2021/04/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 8110f9dd81c..440f51dc013 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/10" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/23" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 6c6e98e33f7..c443b7b1f36 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 13a1458a6d9..d2a93a2f206 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 867446180ae..285d5470251 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/01/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 6940e499910..8373b7e8f53 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/01/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -34,10 +34,10 @@ sequence by host.id with maxspan = 2s /* Excluding Common FPs Nessus and SCCM */ [process where event.type in ("start", "process_started") and process.parent.name : "WmiPrvSE.exe" and - not process.args : ("C:\\windows\\temp\\nessus_*.txt", - "C:\\windows\\TEMP\\nessus_*.TMP", - "C:\\Windows\\CCM\\SystemTemp\\*", - "C:\\Windows\\CCMCache\\*", + not process.args : ("C:\\windows\\temp\\nessus_*.txt", + "C:\\windows\\TEMP\\nessus_*.TMP", + "C:\\Windows\\CCM\\SystemTemp\\*", + "C:\\Windows\\CCMCache\\*", "C:\\CCM\\Cache\\*") ] ''' diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 060dc8961fc..8aebea11f5f 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 2364f51ac98..7ca58f87238 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/28" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 3ccfebe3168..c98bd25bcf8 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 95f297c52b9..873f5fdfaff 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -30,18 +30,18 @@ query = ''' /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ sequence by host.id with maxspan=1m - [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and + [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" ] - [registry where process.name : "explorer.exe" and + [registry where process.name : "explorer.exe" and registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*") ] - + [process where event.type in ("start", "process_started") and - (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and + (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and not process.name : "conhost.exe" ] ''' diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 11fff298221..7b3d39f6ad8 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index c325d94850e..073ea9e064f 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/01" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -25,12 +25,12 @@ type = "eql" query = ''' sequence with maxspan=1s [network where process.name : "services.exe" and - network.direction : ("incoming", "ingress") and network.transport == "tcp" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" ] by host.id, process.entity_id - [process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and - not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and + [process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and + not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and not (process.name : "msiexec.exe" and process.args : "/V") and not process.executable : ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe", diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 6b4679510b6..7772d0ac9d0 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/06" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -51,7 +51,7 @@ further understand the source of the activity and determine the intent based on - Remove scheduled task and any other related artifacts. - Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks. -""" +""" risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" diff --git a/rules/windows/lateral_movement_service_control_spawned_script_int.toml b/rules/windows/lateral_movement_service_control_spawned_script_int.toml index 52ce460f298..1cd9e456311 100644 --- a/rules/windows/lateral_movement_service_control_spawned_script_int.toml +++ b/rules/windows/lateral_movement_service_control_spawned_script_int.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 956b5d36cc0..cdec153a09b 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 2eba2230a04..98c55b9c54f 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index fe844128c0f..fe2cbf83858 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 9dcf32bce56..8f8ede5f303 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 7e0a98157bd..87e6ea6e8c9 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 049319a60df..bd333a6fa49 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index ee3352a007a..10bda16b9fc 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index 4cabb99403b..0a552d3a984 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -3,7 +3,7 @@ creation_date = "2022/02/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/23" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index c6066a6a7e1..8f364e80d7e 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 967a5a347c1..b322eb39119 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/08/17" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -28,9 +28,9 @@ type = "eql" query = ''' registry where length(registry.data.strings) > 0 and - registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", - "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", + registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", + "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess") and /* add FPs here */ not registry.data.strings regex~ ("""C:\\Program Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""", """.*\\PSAppDeployToolkit\\.*""") diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 18e208296d3..72fc0f11824 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -3,7 +3,7 @@ creation_date = "2021/03/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index bbb900b3e19..cb007feefd7 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 7c3afd664e2..44117c47709 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -3,7 +3,7 @@ creation_date = "2021/03/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index d0ca39fd8f6..a167b976529 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/04" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index 866f3eb3fff..e691e45ab75 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 989e5f7508c..b05a57b6969 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 9174555f7bf..d8b6f1cbdf2 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 39d559be4d2..7e53b4f100a 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 8bc2685b15a..25dcc9f809f 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 7b1821f35b6..2d708937b46 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 17b49798185..a88cd84cc6d 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -77,7 +77,7 @@ registry where "HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePath", "HKLM\\SYSTEM\\Setup\\CmdLine", "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and - + not registry.data.strings : ("C:\\Windows\\system32\\userinit.exe", "cmd.exe", "C:\\Program Files (x86)\\*.exe", "C:\\Program Files\\*.exe") and not (process.name : "rundll32.exe" and registry.path : "*\\Software\\Microsoft\\Internet Explorer\\Extensions\\*\\Script") and diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index 67c1ee193e9..bf91a0ed639 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index c4daa6d5735..4b720ed9386 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -30,16 +30,16 @@ query = ''' registry where registry.data.strings != null and registry.path : ( /* Machine Hive */ - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", - "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", /* Users Hive */ - "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", - "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", - "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*" ) and /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */ diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 534cfbcf714..7f1ef22d7e5 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2021/03/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index 63e672db709..fc12dcdcb12 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -3,7 +3,7 @@ creation_date = "2022/02/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/06/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 9b663a5f73a..9a42da61fcb 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index c3625b82da1..e0b15ff8d55 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 2d15191c445..b6ebd0323b6 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -""" +""" risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" @@ -84,15 +84,15 @@ query = ''' sequence by host.id, process.entity_id with maxspan=5s [process where event.type in ("start", "process_started") and process.code_signature.trusted == false and /* suspicious paths can be added here */ - process.executable : ("C:\\Users\\*.exe", - "C:\\ProgramData\\*.exe", - "C:\\Windows\\Temp\\*.exe", - "C:\\Windows\\Tasks\\*.exe", - "C:\\Intel\\*.exe", + process.executable : ("C:\\Users\\*.exe", + "C:\\ProgramData\\*.exe", + "C:\\Windows\\Temp\\*.exe", + "C:\\Windows\\Tasks\\*.exe", + "C:\\Intel\\*.exe", "C:\\PerfLogs\\*.exe") ] [file where event.type != "deletion" and user.domain != "NT AUTHORITY" and - file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") ] ''' diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index c6124f1d59d..93a1c1e758b 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 799fb6bc439..c8b7ff074dc 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 05f84155fbe..d0f23ab06a7 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 67ee7822909..10e4e202a80 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 893a1f363a8..3867e795159 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 7b8d6de9c58..9f6c2aa4ba6 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 75c325afc21..acf6d33305b 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/28" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 3d14692190e..120788fff66 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/09" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Skoetting"] diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 4c6f4250ca7..fe1d1338579 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 96c0218b40b..6dd4099780d 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "development" -updated_date = "2022/04/13" +updated_date = "2022/08/24" [rule] author = ["Skoetting"] diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 11b3b5aa225..ada05a00f9a 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index a360f861bc6..fd414d53df5 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -3,7 +3,7 @@ creation_date = "2021/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 31b0e440c5f..fe198357083 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 50417fc7ac8..115c37e1ba3 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index e04a4a84c60..5ac2cdb8a3d 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 4e95736ae88..e12d5088467 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 181a4387d99..bda788a0d39 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index f21e67f6bef..e17ef2cd67f 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -3,7 +3,7 @@ creation_date = "2021/03/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where registry.data.strings != null and process.name : "WmiPrvSe.exe" and registry.path : ( "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", @@ -39,18 +39,18 @@ registry where "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ServiceDLL", "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath", - "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", - "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell", - "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script", - "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script", - "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", - "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", + "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script", "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun" ) ''' diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 065e8152294..77f61da2f3b 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -3,7 +3,7 @@ creation_date = "2021/08/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 570310780d3..f487637afa9 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 21c810079f3..5ae6566bab6 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -3,7 +3,7 @@ creation_date = "2021/11/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index d044001f36f..59d740fa1d9 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -3,7 +3,7 @@ creation_date = "2021/11/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 81d21519ea3..3e7651f6d1c 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -3,7 +3,7 @@ creation_date = "2021/11/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 5c7cbf40d9e..d4f0f18036b 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -3,7 +3,7 @@ creation_date = "2021/11/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/09" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 9f532617de4..f944d9ee620 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -3,7 +3,7 @@ creation_date = "2022/04/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/27" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 541986e1408..1f98312c78c 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 33b5bb1844a..cf7755f29ba 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index a7e65b8c2fa..bc8be58eeeb 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/02" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 61fa1965a4b..9b97e46ab80 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 9016be078e9..3f477aa0f2d 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/26" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 3b1f33d606e..316b360f0cf 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 8146a5282f8..3e0f3bc2dbe 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 3955f8442b6..7989ea55e0b 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 7808208c2b9..383a55656e3 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/26" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/14" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USERS\\*\\Environment\\systemroot") and +registry where registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USERS\\*\\Environment\\systemroot") and not registry.data.strings : ("C:\\windows", "%SystemRoot%") ''' diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 4c4f5c2b68b..d3048f7ece7 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -3,7 +3,7 @@ creation_date = "2021/12/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index 4d7bc7dda2c..84142a0d951 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/05/11" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index f2e360f19b6..8e93087784a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/28" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index a9950da63c7..43f649f51d4 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 492115481ca..6c472be6084 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 4023da9f8b1..90515eff7d1 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index b99c4a55364..5db14e8052a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 3f5ea8c07c7..301fdcbbf08 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -20,9 +20,9 @@ note = """## Triage and analysis ### Investigating Bypass UAC via Event Viewer -Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. -UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the +UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index db91bec7b71..a017669d412 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/26" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -20,9 +20,9 @@ note = """## Triage and analysis ### Investigating UAC Bypass Attempt via Windows Directory Masquerading -Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. -UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the +UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 025be0739ba..7a1832eac75 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/22" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -20,9 +20,9 @@ note = """## Triage and analysis ### Investigating UAC Bypass via Windows Firewall Snap-In Hijack -Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. -UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the +UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index bc9b37269fb..a872c120c9f 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 25a470e2eab..d6c7b8bcfdb 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/05" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 7a8ff0c18ad..dede169417e 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/04/20" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 8c705c4bd9b..5d37f47284c 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/01" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index b9d469dbd70..8791d7dc9c1 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 4d4b5eca212..1c06a4cadfb 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -3,7 +3,7 @@ creation_date = "2022/02/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/02/07" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 6d1ee32d2b5..cdbcb473ac7 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/10/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"]