diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index 9dbe6ea1886..3a940510079 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/12/21" integration = ["endpoint", "windows"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/28" [rule] author = ["Elastic"] diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index 1e1a7b527f0..90e465b33eb 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/03/25" integration = ["endpoint", "windows"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/06/18" +updated_date = "2024/10/28" [transform] [[transform.osquery]] diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 2e19f754610..d1d9311a1ef 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/03/12" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 83b9dd436a5..c1accd7d8fc 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index c6e1220018f..d08e2472044 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/12" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/03/12" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 3c28c1d1897..7e89556a964 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index b0ce9e211c5..6e8c811794d 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index bf6cba3bc82..cd618e1b03b 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_webcam_video_capture.toml b/rules/windows/collection_posh_webcam_video_capture.toml index 1def216d61c..a0006542832 100644 --- a/rules/windows/collection_posh_webcam_video_capture.toml +++ b/rules/windows/collection_posh_webcam_video_capture.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/18" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index eb1c069f052..3d5a827c1ec 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,7 +2,9 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 41bd37d209f..297d754388a 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -2,7 +2,9 @@ creation_date = "2022/12/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml index 1f7178080fa..409b70d352e 100644 --- a/rules/windows/credential_access_dcsync_user_backdoor.toml +++ b/rules/windows/credential_access_dcsync_user_backdoor.toml @@ -2,7 +2,9 @@ creation_date = "2024/07/10" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/09" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 3b6b8673ff7..544479e0c11 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 03a0f56c4dd..e87ba7dc1ed 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 525855cb61a..4f7d07531b8 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index faac39910a5..b5353cf14ca 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 801b74645c3..9a743631e87 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/05" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index ea39ef5da38..c376b490b2d 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 1e24dacafd7..f2e118fe27b 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/24" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index e7be3dd4ea0..65831163c1c 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 510c8d2c017..373f75f2af5 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index 08dc30eba2b..82d9958857d 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index ed8ffb8d2f4..c9893d59078 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 7b152155ce7..157283aefb3 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 09965632f34..17c7835fb28 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index e0290026072..5f4a892c41c 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic", "Anabella Cristaldi"] diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 8f9d32fbfe8..c5462af0a0c 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 254454f013c..bb5c221efa9 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 02ab47c8226..0e0e298687a 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 7ee9ef5c103..1f96285114f 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/09/30" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 9bbb2709f45..d4bcbc3497d 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/07/17" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 48ed684c22d..6a1bc05123b 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation.toml b/rules/windows/defense_evasion_posh_obfuscation.toml index 3710498c604..a526da2b50a 100644 --- a/rules/windows/defense_evasion_posh_obfuscation.toml +++ b/rules/windows/defense_evasion_posh_obfuscation.toml @@ -2,7 +2,9 @@ creation_date = "2024/07/03" integration = ["windows"] maturity = "production" -updated_date = "2024/07/03" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 112011fecce..9d74159faf4 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index 717838974c3..d445261d76b 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 2e8154ae1f5..01d1b468192 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/07/17" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 7055e324d57..f712d843056 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/08/26" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index cb7d95b4606..36edde84180 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/execution_posh_hacktool_authors.toml b/rules/windows/execution_posh_hacktool_authors.toml index b4c00d88bf4..40c31c3be42 100644 --- a/rules/windows/execution_posh_hacktool_authors.toml +++ b/rules/windows/execution_posh_hacktool_authors.toml @@ -2,7 +2,9 @@ creation_date = "2024/05/08" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 75b315e2bcb..9bf1665b176 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/03/12" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 579739d5989..03f85f3d9ae 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index fa2f38e79ac..f3f0d9943f1 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/07/17" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [transform] [[transform.osquery]] diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 657be1416e0..4d605159cf9 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,7 +2,9 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index fd67fe3f8d4..f7f1fab038e 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,7 +2,9 @@ creation_date = "2024/05/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 9b6b1b7ea85..f73fa9494db 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/12/03" integration = ["endpoint", "windows", "system"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/09/28" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index 6e164d60ec1..288d91f4f02 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/03/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index bb8b826cb35..b8afff146d2 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 525b66d0c1d..943a4663f0c 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/31" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index 350dda43942..7ec546f3a2e 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 584f1c76284..316984f9db8 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/04" integration = ["system", "windows"] maturity = "development" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Skoetting"] diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 34550b651d2..2595cb73e58 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,7 +2,9 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml index 67a1660241b..77e4e70c55a 100644 --- a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index e27d5ab42e9..5e72db6df43 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2024/07/17" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [transform] [[transform.osquery]] diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 59416adb23a..f43288f064e 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/28" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml index f39bae27640..1eed992f989 100644 --- a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -2,8 +2,10 @@ bypass_bbr_timing = true creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index b7e1e6414dd..37b12767ed3 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -2,8 +2,10 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index cd733c9fade..d58b327e2a1 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -2,8 +2,10 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/28" [rule] author = ["Elastic"] diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index 405a7a6665a..1ab4424ae66 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -2,9 +2,9 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+." -min_stack_version = "8.12.0" -updated_date = "2024/03/12" +min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.14.0" +updated_date = "2024/10/28" [rule] author = ["Elastic"]