[Rule Tuning] Remove host.os.type Unit Test Forwarded Events Exception

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.9"
+version = "1.5.10"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/windows/credential_access_bruteforce_admin_account.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [transform]
 [[transform.osquery]]
@@ -107,7 +107,8 @@ type = "eql"
 
 query = '''
 sequence by winlog.computer_name, source.ip with maxspan=10s
-  [authentication where event.action == "logon-failed" and winlog.logon.type : "Network" and
+  [authentication where host.os.type == "windows" and
+    event.action == "logon-failed" and winlog.logon.type : "Network" and
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and user.name : "*admin*" and
 
     /* noisy failure status codes often associated to authentication misconfiguration */

rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [transform]
 [[transform.osquery]]
@@ -111,7 +111,7 @@ type = "eql"
 
 query = '''
 sequence by winlog.computer_name, source.ip with maxspan=5s
-  [authentication where event.action == "logon-failed" and
+  [authentication where host.os.type == "windows" and event.action == "logon-failed" and
     /* event 4625 need to be logged */
     winlog.logon.type : "Network" and user.id != null and 
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and 
@@ -120,7 +120,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s
 
     /* noisy failure status codes often associated to authentication misconfiguration */
     not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5
-  [authentication where event.action == "logged-in" and
+  [authentication where host.os.type == "windows" and event.action == "logged-in" and
     /* event 4624 need to be logged */
     winlog.logon.type : "Network" and
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and

rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [transform]
 [[transform.osquery]]
@@ -121,7 +121,7 @@ type = "eql"
 
 query = '''
 sequence by winlog.computer_name, source.ip with maxspan=10s
-  [authentication where event.action == "logon-failed" and
+  [authentication where host.os.type == "windows" and event.action == "logon-failed" and
     /* event 4625 need to be logged */
     winlog.logon.type : "Network" and
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and

rules/windows/credential_access_dcsync_newterm_subjectuser.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/12/19"
 integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -95,11 +95,12 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-event.code:"4662" and winlog.event_data.Properties:(
-                               *DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
-                               *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
-                               *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and
- not winlog.event_data.SubjectUserName:(*$ or MSOL_*)
+event.code:"4662" and host.os.type:"windows" and 
+  winlog.event_data.Properties:(
+    *DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
+    *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
+    *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and
+  not winlog.event_data.SubjectUserName:(*$ or MSOL_*)
 '''
 
 

rules/windows/credential_access_dcsync_user_backdoor.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/07/10"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -92,7 +92,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:"5136" and
+event.code:"5136" and host.os.type:"windows" and
   winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
   winlog.event_data.AttributeValue : (
     (

rules/windows/credential_access_kerberos_coerce.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/06/14"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/06/14"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -93,8 +93,11 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-(event.code:4662 and winlog.event_data.AdditionalInfo: *UWhRC*BAAAA*MicrosoftDNS*) or 
-(event.code:5137 and winlog.event_data.ObjectDN: *UWhRC*BAAAA*MicrosoftDNS*)
+host.os.type:"windows" and
+(
+  (event.code:4662 and winlog.event_data.AdditionalInfo: *UWhRC*BAAAA*MicrosoftDNS*) or 
+  (event.code:5137 and winlog.event_data.ObjectDN: *UWhRC*BAAAA*MicrosoftDNS*)
+)
 '''
 
 

rules/windows/credential_access_ldap_attributes.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/11/09"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -89,7 +89,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.code == "4662" and
+any where host.os.type == "windows" and event.code == "4662" and
 
   not winlog.event_data.SubjectUserSid : "S-1-5-18" and
 

rules/windows/credential_access_machine_account_smb_relay.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/06/16"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/06/16"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -69,7 +69,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-file where event.code == "5145" and endswith(user.name, "$") and
+file where host.os.type == "windows" and event.code == "5145" and endswith(user.name, "$") and
 
  /* compare computername with user.name and make sure they match */
  startswith~(winlog.computer_name, substring(user.name, 0, -1)) and

rules/windows/credential_access_saved_creds_vault_winlog.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/08/30"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -73,12 +73,12 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s
 
  /* 2 consecutive vault reads from same pid for web creds */
 
- [any where event.code : "5382" and
+ [any where host.os.type == "windows" and event.code == "5382" and
   (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
   not winlog.event_data.SubjectLogonId : "0x3e7" and
   not winlog.event_data.Resource : "http://localhost/"]
 
- [any where event.code : "5382" and
+ [any where host.os.type == "windows" and event.code == "5382" and
   (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
   not winlog.event_data.SubjectLogonId : "0x3e7" and
   not winlog.event_data.Resource : "http://localhost/"]

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/01/27"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -90,7 +90,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:4704 and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege"
+event.code:4704 and host.os.type:"windows" and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege"
 '''
 
 

rules/windows/credential_access_shadow_credentials.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/01/26"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -99,7 +99,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and
+event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and
   winlog.event_data.AttributeValue :B\:828* and
   not winlog.event_data.SubjectUserName: MSOL_*
 '''

rules/windows/credential_access_spn_attribute_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/02/22"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/09/11"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -98,7 +98,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:5136 and winlog.event_data.OperationType:"%%14674" and
+event.code:5136 and host.os.type:"windows" and winlog.event_data.OperationType:"%%14674" and
   winlog.event_data.ObjectClass:"user" and
   winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName"
 '''

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/02/16"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -97,12 +97,12 @@ type = "eql"
 
 query = '''
 sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m
- [iam where event.action == "logged-in-special"  and
+ [iam where host.os.type == "windows" and event.action == "logged-in-special" and
   winlog.event_data.PrivilegeList : "SeBackupPrivilege" and
 
   /* excluding accounts with existing privileged access */
   not winlog.event_data.PrivilegeList : "SeDebugPrivilege"]
- [any where event.code == "5145" and winlog.event_data.RelativeTargetName : "winreg"]
+ [any where host.os.type == "windows" and event.code == "5145" and winlog.event_data.RelativeTargetName : "winreg"]
 '''
 
 

rules/windows/discovery_high_number_ad_properties.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/29"
 integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2025/09/11"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -78,7 +78,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and
+any where host.os.type == "windows" and event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and
  winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000
 '''
 

rules/windows/lateral_movement_remote_service_installed_winlog.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/08/30"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -66,9 +66,9 @@ type = "eql"
 
 query = '''
 sequence by winlog.logon.id, winlog.computer_name with maxspan=1m
-[authentication where event.action == "logged-in" and winlog.logon.type : "Network" and
-event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"]
-[iam where event.action == "service-installed" and
+[authentication where host.os.type == "windows" and event.action == "logged-in" and winlog.logon.type : "Network" and
+ event.outcome == "success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"]
+[iam where host.os.type == "windows" and event.action == "service-installed" and
  not winlog.event_data.SubjectLogonId : "0x3e7" and
  not winlog.event_data.ServiceFileName :
                ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe",

rules/windows/lateral_movement_remote_task_creation_winlog.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -56,7 +56,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-iam where event.action == "scheduled-task-created" and
+iam where host.os.type == "windows" and event.action == "scheduled-task-created" and
  winlog.event_data.RpcCallClientLocality : "0" and winlog.event_data.ClientProcessId : "0"
 '''
 

rules/windows/persistence_ad_adminsdholder.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/01/31"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -74,7 +74,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:5136 and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*
+event.code:5136 and host.os.type:"windows" and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*
 '''
 
 

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/01/27"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -86,7 +86,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-iam where event.code == "4738" and winlog.event_data.AllowedToDelegateTo : "*krbtgt*"
+iam where host.os.type == "windows" and event.code == "4738" and winlog.event_data.AllowedToDelegateTo : "*krbtgt*"
 '''
 
 

rules/windows/persistence_remote_password_reset.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/10/18"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -76,13 +76,13 @@ type = "eql"
 
 query = '''
 sequence by winlog.computer_name with maxspan=1m
-  [authentication where event.action == "logged-in" and
+  [authentication where host.os.type == "windows" and event.action == "logged-in" and
     /* event 4624 need to be logged */
     winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
     source.ip != "127.0.0.1" and source.ip != "::1" and
     not winlog.event_data.TargetUserName : ("svc*", "PIM_*", "_*_", "*-*-*", "*$")] by winlog.event_data.TargetLogonId
    /* event 4724 need to be logged */
-  [iam where event.action == "reset-password" and
+  [iam where host.os.type == "windows" and event.action == "reset-password" and
    (
     /*
        This rule is very noisy if not scoped to privileged accounts, duplicate the