From 508f076902f488e8c784a34d7e2ef2558273c06f Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Wed, 23 Apr 2025 17:59:01 +0530 Subject: [PATCH 1/5] Fix versions for changes in required_fileds --- .../defense_evasion_clearing_windows_security_logs.toml | 4 +++- rules/windows/execution_windows_script_from_internet.toml | 6 +++--- rules/windows/persistence_group_modification_by_system.toml | 4 +++- ...rsistence_user_account_added_to_privileged_group_ad.toml | 4 +++- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 6536cdf6cd8..5d17bb85f21 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/04/23" +min_stack_version = "9.0.0" +min_stack_comments = "Required ecs filed winlog.api type change in version 9.0.0" [rule] author = ["Elastic", "Anabella Cristaldi"] diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index 828b9b149c2..26776c5eddf 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -2,9 +2,9 @@ creation_date = "2025/01/31" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Mark of The Web enrichment was added to Elastic Defend file events in 8.15.0." -min_stack_version = "8.15.0" -updated_date = "2025/02/14" +updated_date = "2025/04/23" +min_stack_version = "9.0.0" +min_stack_comments = "Required ecs filed file.origin_referrer_url,file.origin_url type change in version 9.0.0" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index 2898f609ef9..39e7a3ad9a6 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -2,7 +2,9 @@ creation_date = "2024/06/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/04/23" +min_stack_version = "9.0.0" +min_stack_comments = "Required ecs filed winlog.api type change in version 9.0.0" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index edcaee98237..7cec094a7e7 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/04/23" +min_stack_version = "9.0.0" +min_stack_comments = "Required ecs filed winlog.api type change in version 9.0.0" [rule] author = ["Elastic", "Skoetting"] From be4f23b27f87158c1b4b20ee412f36746d488258 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Wed, 23 Apr 2025 22:16:49 +0530 Subject: [PATCH 2/5] Revert winlog.api minstack changes --- .../defense_evasion_clearing_windows_security_logs.toml | 4 +--- rules/windows/persistence_group_modification_by_system.toml | 4 +--- ...persistence_user_account_added_to_privileged_group_ad.toml | 4 +--- 3 files changed, 3 insertions(+), 9 deletions(-) diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 5d17bb85f21..6536cdf6cd8 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/04/23" -min_stack_version = "9.0.0" -min_stack_comments = "Required ecs filed winlog.api type change in version 9.0.0" +updated_date = "2025/03/20" [rule] author = ["Elastic", "Anabella Cristaldi"] diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index 39e7a3ad9a6..2898f609ef9 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/04/23" -min_stack_version = "9.0.0" -min_stack_comments = "Required ecs filed winlog.api type change in version 9.0.0" +updated_date = "2025/03/20" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 7cec094a7e7..edcaee98237 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/04/23" -min_stack_version = "9.0.0" -min_stack_comments = "Required ecs filed winlog.api type change in version 9.0.0" +updated_date = "2025/03/20" [rule] author = ["Elastic", "Skoetting"] From 623fabf58a06d2b86175d311dbc60cf7343d8167 Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Wed, 23 Apr 2025 22:20:36 +0530 Subject: [PATCH 3/5] Update rules/windows/execution_windows_script_from_internet.toml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- rules/windows/execution_windows_script_from_internet.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index 26776c5eddf..ea2c70225a9 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" updated_date = "2025/04/23" min_stack_version = "9.0.0" -min_stack_comments = "Required ecs filed file.origin_referrer_url,file.origin_url type change in version 9.0.0" +min_stack_comments = "Required ecs field file.origin_referrer_url,file.origin_url type change in version 9.0.0" [rule] author = ["Elastic"] From 73819e197a882a6b509b2135008d1f11eb1dffe3 Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Thu, 24 Apr 2025 05:37:08 +0530 Subject: [PATCH 4/5] Update rules/windows/execution_windows_script_from_internet.toml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- rules/windows/execution_windows_script_from_internet.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index ea2c70225a9..d5bf7441ec9 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" updated_date = "2025/04/23" min_stack_version = "9.0.0" -min_stack_comments = "Required ecs field file.origin_referrer_url,file.origin_url type change in version 9.0.0" +min_stack_comments = "Required ecs field file.origin_referrer_url, file.origin_url type change in version 9.0.0" [rule] author = ["Elastic"] From f4081a5948f265a04ac516ceb45c916dfd63024f Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Thu, 24 Apr 2025 05:56:01 +0530 Subject: [PATCH 5/5] Update rules/windows/execution_windows_script_from_internet.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- rules/windows/execution_windows_script_from_internet.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index d5bf7441ec9..c1e7c473302 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" updated_date = "2025/04/23" min_stack_version = "9.0.0" -min_stack_comments = "Required ecs field file.origin_referrer_url, file.origin_url type change in version 9.0.0" +min_stack_comments = "The fields file.origin_referrer_url and file.origin_url were introduced in ECS as of version 9.0.0" [rule] author = ["Elastic"]