diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 1d39e198810..bdb0396e4a4 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/09/23" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 84b949641fe..de2c167d960 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index b4ad62019bf..7dffd7a2e37 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 6e54295b0e7..406fca876f0 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 798d6db68e5..915c09f4456 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index 258b9c59539..11f5a6aecf0 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -2,9 +2,9 @@ creation_date = "2024/05/10" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index 72bd569949a..e91e82eb0d6 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -2,9 +2,9 @@ creation_date = "2024/08/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 7df2dcf0acc..cc1ee407e09 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/10/10" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 736f723d780..79a8dd9a552 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/08/07" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 83437538152..a47bba1649f 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,9 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 4ffa80c7780..bea0f2dd3d1 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,9 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 40905e4241c..17e4da0ad31 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 45324b42963..6b14391c195 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,9 +2,9 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/08/07" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml index a715e9a4f7d..65e10e0927b 100644 --- a/rules/windows/command_and_control_tunnel_vscode.toml +++ b/rules/windows/command_and_control_tunnel_vscode.toml @@ -2,9 +2,9 @@ creation_date = "2024/09/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/09/25" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml index 51c200e9727..7b42d66d267 100644 --- a/rules/windows/credential_access_adidns_wildcard.toml +++ b/rules/windows/credential_access_adidns_wildcard.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_adidns_wpad_record.toml b/rules/windows/credential_access_adidns_wpad_record.toml index b146913ed3c..94388242ee5 100644 --- a/rules/windows/credential_access_adidns_wpad_record.toml +++ b/rules/windows/credential_access_adidns_wpad_record.toml @@ -2,7 +2,9 @@ creation_date = "2024/06/03" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index f5023f68859..70b65e8ebb3 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index bec11186d41..60aedf7e79e 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index 5101425683f..100e7779258 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index b462b04b382..29afc3d4914 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 147d2154b05..11afc3eb35a 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 55c55eb6b13..acd36a596c4 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 41e1120be0b..d6cdd685f06 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 2cae4cddf43..912a7da74cc 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dollar_account_relay.toml b/rules/windows/credential_access_dollar_account_relay.toml index cfc330fca47..38245c9dbb2 100644 --- a/rules/windows/credential_access_dollar_account_relay.toml +++ b/rules/windows/credential_access_dollar_account_relay.toml @@ -2,7 +2,9 @@ creation_date = "2024/07/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/09" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index dae11b84426..279676fec23 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/06/25" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index d5a640ec27c..362e3b03d53 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index e81180d5513..ec951d94d75 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/28" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 0dbd5c5516a..b092353d1e8 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml index 20359434277..b1bcc5351d1 100644 --- a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml +++ b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml @@ -2,7 +2,9 @@ creation_date = "2024/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/14" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic", "Matteo Potito Giorgio"] diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index 7ab5d8af99d..01de955ce9f 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -2,9 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/10/10" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index e4197334263..0715a53733a 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,7 +2,9 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 414ba86564e..d2b3ebffb78 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -2,7 +2,9 @@ creation_date = "2022/06/29" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 3e387c11e2b..45cc60c80bb 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 8c5174f50a5..9a4d4cbafff 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 62b1d5e83a7..addbde90c98 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/10/10" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 37ae2731724..7dd04a08fe6 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 9a6ed4104c8..d5239af0af8 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/18" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index f62f2f7b30b..3b9496723a6 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -2,7 +2,9 @@ creation_date = "2021/09/27" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 70693d7f656..67fd6cac5c5 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,9 +2,9 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 18fe518a6d5..385a6037a93 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index e9071f1e467..6ce11906e74 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,9 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 405ac2ab0a9..0edd3a91adb 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index c01731dfb94..e71a3fc5dc1 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/22" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 663b7605067..b4b6624514c 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index b5c439fee17..154aad2f342 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 264f270f107..85cac0a326b 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,9 +2,9 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index b9a17c28fd8..8227fa83261 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,9 +2,9 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index 57ecf673ecb..1a727878845 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/27" integration = ["windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml index efe75111d47..d4c0eb61c10 100644 --- a/rules/windows/credential_access_wbadmin_ntds.toml +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -2,9 +2,9 @@ creation_date = "2024/06/05" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index bc8671ceee4..9adbf4ae1bc 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,9 +2,9 @@ creation_date = "2022/11/01" integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 9ce9ddc7ca8..2a9d80ef042 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index c190bad82d9..85dfa1fd8b4 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/17" integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/08/06" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index dc6cf3ab71d..0edc49a16fd 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -2,9 +2,9 @@ creation_date = "2021/06/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 8cfb8525f04..956dbc8b434 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,9 +2,9 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 1a0b254e769..ce861a6e750 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index b1d43c82769..44fc189c4f0 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index bc845af10bc..77b25f9afcf 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index abb44adf81c..55093bd4d34 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,9 +2,9 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 87262a1bd2a..ba27a71f0ca 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/23" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/11/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 51e56af5650..449e185c1ec 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,9 +2,9 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index f1d1633219f..338b618a6d2 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index d4837d9fde8..817b3ffbd14 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,9 +2,9 @@ creation_date = "2023/08/25" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 449d353eae2..67929fe2adc 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -2,9 +2,9 @@ creation_date = "2022/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 9368dd353fa..65a436ee027 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 3b05b8299aa..b9550cf0693 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,9 +2,9 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index f6134997dfa..fda24d04a50 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,9 +2,9 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 1e6d9efa860..9bb21c0aa79 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -2,9 +2,9 @@ creation_date = "2021/07/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 2ef09973677..e826a191ae8 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 11053fc25ab..7cee70ce5a7 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index e23d6a1c5d2..b555cf338ee 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -2,9 +2,9 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 2eaa6cf25c6..3da050592d2 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,9 +2,9 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 19b2096a0a7..1817612d87f 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index c32b3e5b974..218dbbe1f9b 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,9 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 18ee1bdfe0c..06931c3e206 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 5d38d067154..7f866302267 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index e9fb6967985..17ca6cfd018 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 1da070db9ac..c46c13405b5 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic", "Dennis Perto"] diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 4b3b5ee42a7..b3b03816550 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,9 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 030626c190e..4831a04c05e 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 050903c67fd..25ed246466d 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/10/10" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 076e6fa7883..e062b9751e5 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,9 +2,9 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 59da95dae9c..d89f796cde2 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["windows"] maturity = "production" -updated_date = "2024/08/01" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index eca5aea1970..6abd0388863 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index adcd8e80a1d..12ccdf160ed 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -2,9 +2,9 @@ creation_date = "2024/07/24" integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/07/24" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 00d8aa0cf9a..2aa5a43e6fe 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 7357ec19913..e696ca6045d 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index e1b1fac5353..c6e35d6317b 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/10/10" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index c5b8af0185c..6528fa02643 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index dca4f49ea9e..fbcddc20fc8 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 048d34ee27c..8d7ee180716 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index a7c4a5a81e8..3aaa9c8230e 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 81140bbff58..f749a8499a2 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -2,9 +2,9 @@ creation_date = "2022/01/12" integration = ["windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index f2a978729f4..6ad923b8b36 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/08" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 45747d454c5..e36fa0afdba 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml index 02c86e40189..3ec331c277f 100644 --- a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml +++ b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml @@ -2,9 +2,9 @@ creation_date = "2024/09/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/09/16" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 714b2841761..513740d35b9 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 3bf709535de..5eaa66ce8f8 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 4676a3a638b..e58222e18b6 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,9 +2,9 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/08/05" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 66267ee2532..0f2f2f758e1 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 553b5771192..01bf525400c 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index d997fd0d1a1..e42b52ac964 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -2,9 +2,9 @@ creation_date = "2024/05/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_root_dir_ads_creation.toml b/rules/windows/defense_evasion_root_dir_ads_creation.toml index df0cd93bfc6..3da978e81f0 100644 --- a/rules/windows/defense_evasion_root_dir_ads_creation.toml +++ b/rules/windows/defense_evasion_root_dir_ads_creation.toml @@ -2,9 +2,9 @@ creation_date = "2024/03/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 05f50273453..94c5fc8e2d9 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_sc_sdset.toml b/rules/windows/defense_evasion_sc_sdset.toml index d430469b813..e8ecd0ddcc2 100644 --- a/rules/windows/defense_evasion_sc_sdset.toml +++ b/rules/windows/defense_evasion_sc_sdset.toml @@ -2,9 +2,9 @@ creation_date = "2024/07/16" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for Sentinel One Cloud Funnel Integration" -min_stack_version = "8.13.0" -updated_date = "2024/08/06" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 6305d62ad46..7d5d97ca9d5 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml index bd98fc0f29f..12b49fd1160 100644 --- a/rules/windows/defense_evasion_script_via_html_app.toml +++ b/rules/windows/defense_evasion_script_via_html_app.toml @@ -2,9 +2,9 @@ creation_date = "2020/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/09/16" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 407c0a738f6..0afe8f45790 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 76f6288a261..b02b61f38ac 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -2,9 +2,9 @@ creation_date = "2021/01/20" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 25244f5d472..14445099941 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 3f4b39bda55..c30a6309534 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 835c75dc5c7..4fbeafb570a 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 95bbb77f5fc..f843d86683e 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index d38e017d6b5..0dbba3fd50c 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index d4c4fb10d89..29082352f01 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/24" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index e6f6530f633..02c9c309f06 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 20b7952815c..d955a9616ce 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index b10b9798946..3f1cee8f4c1 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 76384da683b..369a94ea93e 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/08/07" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 088474a8bde..85fd3c6678f 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_timestomp_sysmon.toml b/rules/windows/defense_evasion_timestomp_sysmon.toml index 827fb4c7a89..1664fbad7f2 100644 --- a/rules/windows/defense_evasion_timestomp_sysmon.toml +++ b/rules/windows/defense_evasion_timestomp_sysmon.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 9892c746a3e..d15e81af059 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,9 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index db6289fc872..a200b2332a0 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 18f0e76af9e..0e2c84b0d56 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 90e8da27038..f18055065db 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 42fa32b52d9..104bf15fb9a 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index ce216c84100..f0a7b5397b1 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 2baa1d028a1..5336a51633d 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index 158e8e06e24..a409ebe9849 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -2,7 +2,9 @@ creation_date = "2023/12/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 9d1a9a8ff41..0c4340107bb 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,9 +2,9 @@ creation_date = "2022/03/02" integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 52bf87fa102..28b232f3d9d 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index 03d26b98dcb..e30d5e1abf6 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index b79b648915b..27ac79214f0 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index afcf4dfd1c6..eb37721421f 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 5f5a23a7eb4..78c7d2ce2ce 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index 15d87f13a92..88aec487307 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 3a287569862..a3da31eaf2f 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index ac828d05e32..680344f4aa1 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 24ebab8393c..6a9ece61262 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index 69b27a3ca48..baef2e811eb 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 7bb4cfaaa9f..8d8df6bf394 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "system", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index 49957c701a6..cf6300f0dfa 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/18" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index 809819abd60..0b6dad34e2a 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/07/08" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 1fbd0576533..58ec5ea40fb 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 89c9694626e..63ecd705b1b 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 72981f04454..4014a9c33c4 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 7be01a17d78..aaedd17b17d 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,9 +2,9 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 29d7056f17a..5a8f3e25916 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index b8923fc73b7..437d881b36d 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/06/25" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 51561402298..f19d1e775db 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 58780758162..19bfe52c6de 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,9 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 18bc6ac6162..ca4600bb830 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index ee8d103a56a..96a4bfd6b38 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index 1e7b2bb13c8..c399add922e 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -2,9 +2,9 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/09/17" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index bac39e17a10..b489ea69cf1 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,9 +2,9 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_initial_access_wps_dll_exploit.toml b/rules/windows/execution_initial_access_wps_dll_exploit.toml index b5aff9ef7f9..499d310019c 100644 --- a/rules/windows/execution_initial_access_wps_dll_exploit.toml +++ b/rules/windows/execution_initial_access_wps_dll_exploit.toml @@ -2,7 +2,9 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/29" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 55edc986b8f..e4f0ffccc51 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index 058f714a9fc..146ff0b2c9b 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,9 +2,9 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/09/16" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 4384952dbf1..4b9ca9d1175 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index dc36a88a291..2083ba4dd83 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 970a63b9847..443716555aa 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 0f8b6fef4fa..84866b389cc 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index c3ba715e748..02324988eac 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 9a1dba523ce..dc17bde0562 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index c74c84f282c..5b16433260e 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,9 +2,9 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 028f8db6ea4..ba63a982901 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index e286722d346..e46a66a7627 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 59d141bedfb..0ce73c893f8 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index a55d4ddaf3e..aabdc76aa88 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -2,9 +2,9 @@ creation_date = "2024/06/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for Sentinel One Cloud Funnel Integration" -min_stack_version = "8.13.0" -updated_date = "2024/08/07" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index 5d000eb6015..d6bb9f17af1 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -2,9 +2,9 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/09/16" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index f0fb956a382..0b09b6c4baa 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,9 +2,9 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/09/16" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 206e81d97ef..fa26cce592a 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index fa0f5b8ab97..8cb06570a5b 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -2,9 +2,9 @@ creation_date = "2020/03/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 0bab4049389..23518cc3d26 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 12e7fcb233c..d5e9109fd39 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,9 +2,9 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 8a0795de492..8285e66bf17 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index 7da79237cd8..6ae987f4f03 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,9 +2,9 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index fd23057a547..4faad5dfbcf 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,9 +2,9 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index e8f974190bc..bd42e3ff3ef 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,9 +2,9 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 00797e7b6a0..58ba10b2d4f 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index c9c97d1bc8e..23c41341535 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 34c4bd359a1..888d366dfc3 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,9 +2,9 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index cd2730698e1..9d1dbad60db 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,9 +2,9 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 9f66055ffac..24a7a35c94a 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,9 +2,9 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 179ed6b5055..31a0597a3b4 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index a1791059c27..09e45aa0f77 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/08/07" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index e95614e9ebd..3f33d06e360 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index 78f95036fd5..8498dceb9a3 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,9 +2,9 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 191930a7cfd..6bc844d0c45 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 428f9abd7ca..17625556c65 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index 472b5eaa456..fd2ad45bc02 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index b2a95628a49..0ae4173fb6c 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index da4621fc08e..74e5284a1ad 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,9 +2,9 @@ creation_date = "2021/03/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index 8e892943861..1e1e22abd20 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,9 +2,9 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index dd2e57be8a5..1ae64427993 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 2384ec06eee..f3a096eded1 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 296271162ef..0c695c6002d 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 4458f67056e..c85818d19fe 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 51b8ffdcf0b..d819cf2f387 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 2100fdd5941..be8f3779dbc 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index e72f823e8b2..cae96af1bb8 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index 979b71d08cf..52e69a456f1 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index cf677477a2c..5b4e63fd91d 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index 3d76b3c873e..9f3e2a2aa20 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 43f0b5604e5..962d7dc4f30 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index d7c22ad7b9d..d6bf620d013 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index 9a028c034a7..45f0b4c8634 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,9 +2,9 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index 26920cfa184..b05d4e7181d 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/06" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 5e503167226..1694f8e9ad5 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index e3d101e90bc..c86b4c83a9d 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -2,9 +2,9 @@ creation_date = "2024/07/19" integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for Sentinel One Cloud Funnel Integration" -min_stack_version = "8.13.0" -updated_date = "2024/08/09" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index e2dd298af15..5e5e4f94578 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/06/25" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 9e73ea35e35..888afb2ac42 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,9 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 84d4ecb328a..8ced36769d3 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/08/05" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index b9abf4983a1..9a84ff545af 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index e9ff555f34f..7bcc2ade5b5 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,9 +2,9 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2024/10/13" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 72a0dfd71e5..71504064689 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index cc48f08d2c0..783c763a025 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 0aec5fc8cd0..51748fc66b2 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,9 +2,9 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index fec81e7a6b2..a652ef77e0b 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -2,7 +2,9 @@ creation_date = "2024/06/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 9a085812828..e771f3d2d8e 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -2,9 +2,9 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/10/10" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 4cea0244e98..b16d94cda6a 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index ab34ec41bca..2dcdda69129 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index dd418a9aa68..040eb7fed6e 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 020881eab59..3cec5159564 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index fb721777718..446ca449b00 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/09" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index 4e1388f04a1..b024cd12e5b 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -2,9 +2,9 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 266757acd9c..b0ea3fd54f3 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 9487702f073..cbdb75da78a 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,9 +2,9 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index d099c8957b9..d4ca0170ace 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 56454aa6899..bac3b848db0 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index 3046f729c22..c0698e0647d 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index e4e9538432b..ddc19d2048d 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml index d8e9edda213..6fa9f59b94f 100644 --- a/rules/windows/persistence_scheduled_task_creation_winlog.toml +++ b/rules/windows/persistence_scheduled_task_creation_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index ff01804c937..6983c1da7a1 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index ed0da3e819d..f184ec06c17 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index 1027713a33b..a5ee18a1488 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index db8f90c682b..7225410023f 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 15e90b364c1..c090becadf3 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 02a68eac956..b0dacf2ea04 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index c03e8ea7186..cfed5a4d340 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 55d0dbe261f..a593685c0f5 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index b8675745f21..491958437d6 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index 617d438f1ed..586426af047 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/02" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index fab80ec2987..07e4620f257 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/08/07" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index 7b6dd228e4f..a23aede04b4 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index bfe7c2d9212..a0a99130517 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,9 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index a5b9259b2a5..eb07058b048 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic", "Skoetting"] diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 3658caf6b9a..5c297aac021 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 1c69e80e9e5..6700b4d1c4d 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 1b078460ce2..42a345b965a 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -2,9 +2,9 @@ creation_date = "2021/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/10/10" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 3c8b8689a1c..88ed115ee77 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 910829cdd95..7a3c8569eb7 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index ac840a12a92..5ccc0a53ab3 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 95b6e11f329..73154544c70 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 66976d16c64..c25990359bf 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index f28345f9bf7..dceedefdae4 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index d5b22ce2455..647ac6aa6ed 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,9 +2,9 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/10/10" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 05117130acd..b798b066051 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,9 +2,9 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index 0c543a4dad2..ffaaf3a68b9 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 67ed328f7a1..430416e2605 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,9 +2,9 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index 1c637ae95af..fcf2bbc0f02 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -2,7 +2,9 @@ creation_date = "2024/05/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index 42c7e90aa07..3d234029f7e 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,9 +2,9 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 6b5b7bb7ef2..1b27f5b2e7c 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/14" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 8dadcf05a2c..47d409974fc 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/09" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index 422023c0acf..4402909dfd2 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/09" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 36bd01e491c..eb868f9ce3a 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/09" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index fc3b2de0d4d..c2ba7fc2038 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,7 +2,9 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml index 0a42291a546..087a566beff 100644 --- a/rules/windows/privilege_escalation_make_token_local.toml +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -2,7 +2,9 @@ creation_date = "2023/12/04" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml index 698914de208..d212d3c3159 100644 --- a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml +++ b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml @@ -2,9 +2,9 @@ creation_date = "2024/09/12" integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2024/09/16" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/15" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 4cee3cfe14c..7eba41880c2 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index abdd7977d67..24f8d22772d 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/09" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 5d36aec1f41..adf2a9fa8d7 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 6afb7943b6e..65e8bd0d499 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index 67d05be0661..fb45da30925 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -2,7 +2,9 @@ creation_date = "2024/06/05" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 9a29ac4ed62..c87668f25ff 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 769f48562a5..74ffe84b293 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,7 +2,9 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index a69fe664177..fefb0011f29 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index 416ee0ec1f4..100d963e6e4 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index 102ba1d8e2e..b661cf23c54 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/20" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index d077821bd6a..fc2f865bcc9 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index cdc359c9ae1..216891dbd73 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index c17e54dc717..1f75e4522af 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 63fb98c351c..c3fa50e9598 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index d97f9246c3b..8e26acb0697 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 2ec0879111d..dd7ecfc5896 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,9 +2,9 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index f4669866568..fb2a6f583ab 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 9da01c7407e..939cb994cf6 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index f1ec42c5e68..a5d975e7816 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -2,9 +2,9 @@ creation_date = "2023/07/13" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "system"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index ce1b7bd3c44..be4a105e0a7 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 5d77eb6dc65..99d0b03ae20 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 0af2207b2f3..12e5a8b5448 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" -min_stack_version = "8.13.0" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 52704a92758..05672066a7b 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index caf0ca52a2d..758b1a47d47 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/15" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"]