Update investigation guides

[shashank-elastic]

Pull Request

Issue link(s): As part of release https://github.com/elastic/ia-trade-team/issues/694

Summary - What I changed

• Add investigation guides to new rules as part of release https://github.com/elastic/ia-trade-team/issues/694

How To Test

• Unit test to pass

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[github-actions]

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

• Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
• Include additional context or screenshots.
• Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Ensure that the code is modular and reusable where applicable.

Testing

• New unit tests have been added to cover the enhancement.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
• Validate that any rules affected by the enhancement are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.
• Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

• Verify that the enhancement works across all relevant environments (e.g., different OS versions).
• Confirm that the proper version label is applied to the PR patch, minor, major.

[tradebot-elastic]

✅ Test succeeded

Results

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ PowerShell Script with Windows Defender Tampering Capabilities (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ PowerShell Script with Windows Defender Tampering Capabilities (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ PowerShell Script with Windows Defender Tampering Capabilities (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[w0rk3r]

I replaced the Possible investigation steps and Response and remediation with more relevant steps. Other than that, LGTM

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ PowerShell Script with Windows Defender Tampering Capabilities (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[eric-forte-elastic]

Updated date is in the future/October. Please update. Thanks!

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ PowerShell Script with Windows Defender Tampering Capabilities (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ PowerShell Script with Windows Defender Tampering Capabilities (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta